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ABSTRACT 


This monograph presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic 
mathematical framework to support description and analysis of timed (computing) systems. Timed 
systems are systems in which desirable correctness or performance properties of the system depend 
on the timing of events, not just on the order of their occurrence. Timed systems are employed in a 
wide range of domains including communications, embedded systems, real-time operating systems, 
and automated control. Many applications involving timed systems have strong safety, reliability, 
and predictability requirements, which make it important to have methods for systematic design of 
systems and rigorous analysis of timing-dependent behavior. 

The TIOA framework also supports description and analysis of timed distributed 
algorithms—distributed algorithms whose correctness and performance depend on the relative 
speeds of processors, accuracy of local clocks, or communication delay bounds. Such algorithms 
arise, for example, in traditional and wireless communications, networks of mobile devices, and 
shared-memory multiprocessors. The need to prove rigorous theoretical results about timed dis- 
tributed algorithms makes it important to have a suitable mathematical foundation. 

An important feature of the TIOA framework is its support for decomposing timed system 
descriptions. In particular, the framework includes a notion of external behavior for a timed I/O 
automaton, which captures its discrete interactions with its environment. The framework also defines 
what it means for one TIOA to implement another, based on an inclusion relationship between their 
external behavior sets, and defines notions of simulations, which provide sufficient conditions for 
demonstrating implementation relationships. The framework includes a composition operation for 
TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA 
does not block the passage of time. 

The TIOA framework also defines the notion of a property and what it means for a property 
to be a safety or a liveness property. It includes results that capture common proof methods for 
showing that automata satisfy properties. 


KEYWORDS 


timed computing systems, distributed algorithms, formal modeling and verification, 
I/O automata 
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CHAPTER 1 


Introduction 


1.1 OVERVIEW 


This book presents the Timed Input/Output Automaton ( TIOA) modeling framework, a basic math- 
ematical framework to support description and analysis of timed computing systems and timed 
distributed algorithms. 


Timed systems and timed algorithms: ‘Timed computing systems are systems in which desirable 
correctness or performance properties of the system depend on the timing of events, not just on the 
order of their occurrence. A typical timed system consists of computer components, which operate 
in discrete steps, and timing-related components such as physical or logical clocks, whose behavior 
involve continuous transformation over time. Timed systems are employed in a wide range of do- 
mains including communications, embedded systems, real-time operating systems, and automated 
control. Many applications involving timed systems have strong safety, reliability and predictability 
requirements, which makes it important to have methods for systematic design of systems and rigor- 
ous analysis of timing-dependent behavior. Timed distributed algorithms are distributed algorithms 
whose correctness and performance depend on factors related to timing, such as the relative speeds 
of processors, the accuracy of local clocks, or communication delay bounds. Such algorithms arise, 
for example, in traditional and wireless communications, networks of mobile devices, and shared- 
memory multiprocessors. The need to prove rigorous theoretical results about timed distributed 
algorithms makes it important to have a suitable mathematical foundation. 

Modeling plays a key role in all stages in the design and analysis of systems. Models represent 
system designs at a level of abstraction that is suitable for isolating and focusing on their most 
crucial aspects. They can be modified and experimented with more easily than real implementations. 
Moreover, if the modeling is performed using the concepts provided by a formal framework, the 
modeling can be done more precisely, and analysis and verification methods supported by that 
framework can be applied. Timed systems, which combine discrete steps with continuous evolution 
of state over time, exhibit complex behaviors that are typically hard to describe and analyze in the 
absence of a carefully developed modeling framework [34, 108, 109]. 

Modeling is equally important for distributed algorithms. To be meaningful, rigorous theoret- 
ical results about algorithm behavior must rest on some type of mathematical model. Many, perhaps 
most, papers about distributed algorithms define special-purpose models from scratch; a general 
modeling framework can be used as a foundation for defining special-purpose models, making 
it unnecessary to redefine general concepts and reprove general results. For timed distributed algo- 
rithms, defining models is especially challenging; a general framework can make the job much easier. 
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A good modeling framework can support algorithm description at different levels of abstraction. It 
can serve as the basis for algorithm simulation, and can support formal analysis. 

A modeling framework must support designing systems and algorithms in structured ways, 
viewing them at multiple levels of abstraction and as compositions of interacting components. 
If a framework is to provide flexibility and generality, it must also support nondeterminism. A 
system or algorithm designer might wish to allow several potential behaviors at certain points in the 
computation of a system, for example, to avoid making assumptions about how the environment will 
behave, or to allow several correct implementations for the same design. Such liberty in specification 
would not be possible to accommodate without nondeterminism. In addition to supporting all of 
these features, modeling frameworks for timed systems and algorithms must provide mechanisms 
for representing continuously evolving components such as clocks and timers. 

An interesting complication that arises in modeling timed systems and algorithms is that 
time can progress in ways that conflict with our intuition about physical time. For example, we may 
force time to stop entirely to "urge" some discrete action to happen, or schedule infinitely many 
discrete actions to happen in a finite amount of time. A framework needs to provide concepts that 
identify the conditions under which a timed system behaves according to our intuitions, that is, the 
conditions under which time diverges as the system continues to run. 


Timed I/O Automata: In this work, we introduce a basic mathematical framework — the Timed 
Input/Output Automaton modeling framework - to support description and analysis of timed systems. 
In this framework, a system is represented as a Timed I/O Automaton (TIOA), which is a kind of 
nondeterministic, possibly infinite-state, state machine. The state of a TIOA is described by a 
valuation of state variables that are internal to the automaton. The state of a TIOA can change in 
two ways: instantaneously by the occurrence of a discrete transition, which is labeled by a discrete 
action, or according to a ¢rajectory, which is a function that describes the evolution of the state 
variables over intervals of time. Trajectories may be continuous or discontinuous functions. 

The TIOA framework supports decomposition of system description and analysis. A key to 
this decomposition is the rigorously-defined notion of external behavior for timed I/O automata. The 
external behavior of each TIOA is defined by a simple mathematical object called a ¢race—essentially, 
a sequence of actions interspersed with time-passage steps. Abstraction and parallel composition are 
other important notions for decomposition of system description and analysis. 

For abstraction, the framework includes notions of implementation and simulation, which 
can be used to view timed systems and algorithms at multiple levels of abstraction, starting from 
a high-level version that describes required properties, and ending with a low-level version that 
describes a detailed design or implementation. In particular, the TIOA framework defines what it 
means for one TIOA, A, to implement another TIOA, B, namely, any trace that can be exhibited 
by A is also allowed by B. In this case, A might be more deterministic than B, in terms of either 
discrete transitions or trajectories. For instance, B might be allowed to perform an output action at an 
arbitrary time before noon, whereas A produces the same output sometime between 10 and 11 AM. 
The notion of a simulation relation from A to B provides a sufficient condition for demonstrating 
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that A implements B. A simulation relation is defined to satisfy three conditions, one relating start 
states, one relating discrete transitions, and one relating trajectories of A and B. 

For parallel composition, the framework provides a composition operation, by which TIOAs 
modeling individual timed system components can be combined to produce a model for a larger 
timed system. The model for the composed system can describe interactions among the components, 
which involves joint participation in discrete transitions. Composition requires certain "compatibil- 
ity" conditions, namely, that each output action be controlled by at most one automaton, and that 
internal actions of one automaton cannot be shared with any other automaton. The composition 
operation respects traces, for example, if A; implements Az then the composition of A; and B 
implements the composition of Az and B. Composition also satisfies projection and pasting results, 
which are fundamental for compositional design and verification of systems: a trace of a composition 
of TIOAs “projects” to give traces of the individual TIOAs, and traces of components are “pastable” 
to give behaviors of the composition. 

Ifa TIOA approaches a finite pointin time without quite reaching it, or by scheduling infinitely 
many discrete actions to happen in a finite amount of time, it is said to exhibit Zeno behavior, in 
reference to Zeno's paradox [76]. The TIOA framework includes a notion of receptiveness, which is 
used to classify automata that do not contribute to producing Zeno behavior, and which is preserved 
by composition. Receptiveness of a TIOA, .A, in the TIOA framework is defined in terms of the 
existence of a strategy, which is defined as a subautomaton of A that chooses some of the evolutions 
from each state of A. 

The TIOA framework also supports a notion of a property, which is defined for sequences of 
alternating actions and trajectories, and includes a definition of what it means for an automaton to 
satisfy a property. The framework also includes basic results about the classification of properties as 
safety and liveness properties and common proof methods for showing automata satisfy the stated 
properties. 

The TIOA framework presented in this work is purely mathematical. However, it constitutes 
a natural basis for computer support tools [57]. A preliminary version of a toolset is available at 
http://www.veromodo.com. 
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The TIOA modeling framework presented in this book evolved from the Hybrid Input/Output Au- 
tomaton (HIOA) modeling framework for hybrid systems [79] by Lynch, Segala and Vaandrager. 
The HIOA framework, in turn, evolved from the I/O automata of [83, 84, 76, 53, 54], a fundamental 
modeling framework for (untimed) asynchronous systems. Our approach is based on the assumption 
that a timed system can be viewed as a special kind of a hybrid system where the continuous trans- 
formation is limited to internal system components that determine the timing of events. Therefore, 
we define a TIOA as a restricted HIOA where the only essential difference between an HIOA and 
a TIOA is that an HIOA may have external variables to model the continuous information flowing 
into and out of the system, in addition to state variables. A major consequence of this definition 
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is that the communication between TIOAs is restricted to shared-action communication only. The 
TIOA model does not impose any further restrictions on the expressive power of the HIOA model. 

We developed this new modeling framework even though there are several timed automaton 
models that extend the basic I/O automaton model [91, 107, 87, 86], because we have observed 
that the new HIOA modeling framework offered a way of improving and simplifying previous work 
on timed I/O automaton models [107, 87, 86]. For example, the use of trajectories as first-class 
objects to represent the external behavior of a timed automaton, the definition of a strategy as an 
automaton rather than a two-player game, and the variable structure on states are all new features 
that were motivated by what we learned in developing the HIOA framework and that gave rise to 
more elegant definitions and simpler proofs for timed automata. 

We intend the TIOA model to serve as a general semantic framework in which previous results 
for timed I/O automata [87, 91, 107, 86] and other related models [7, 88, 100, 23] can be re-cast 
in a style that is upwardly compatible with the new HIOA model. Limiting the communication 
to discrete interactions is an apt choice since the previous timed I/O automaton models also adopt 
this type of communication. On the other hand, by avoiding any further restrictions on the general 
hybrid model, we obtain an expressive model suitable for specifying complex timing behavior. For 
example, our model does not require variables to be either discrete or to evolve at the same rate as 
real time as in some other models [7, 100]. Consequently, algorithms such as clock synchronization 
algorithms that use local clocks evolving at different and varying rates can be formalized naturally in 
our framework. The TIOA model can also naturally describe systems undergoing dynamic changes 
and reconfigurations through component failures, joins, recoveries, etc. 

The fact that HIOAs subsume TIOAs as a special case does not eliminate the need for a 
separate modeling framework for timed systems. Having no external variables in the TIOA model 
gives rise to considerable simplifications in the theory. For example, proving that the composition 
of two timed automata is a well-defined automaton becomes simpler in the absence of external 
variables; no extra compatibility conditions as in the general HIOA framework are needed to obtain 
the desirable composition theorems for TIOAs. 

In the past few years, we and others have developed the Tempo formal language for describing 
TIOAs, along with a collection of basic tools for analyzing Tempo programs. The syntax of the 
language corresponds closely to the pseudocode style used in this book. The tools consist of: (a) a 
front-end processor for Tempo, incorporating syntax and static semantic checking; (b) a simulation 
tool allowing simulation of Tempo specifications; (c) a model-checking link through an interface to 
the model-checker UPPAAL [100, 66]; and (d) a theorem-proving link through an interface to the 
theorem-prover PVS [98]. We refer to [57, 56, 32, 33] for more information on the TIOA toolset, 
and to the Tempo project web site [51]. The web site includes a user manual for Tempo, which 
contains comprehensive information about the language and several detailed examples. The Tempo 
project builds upon our prior work on the IOA language [35]. 

TIOAs have been used to specify and analyze many timed systems, from a variety of domains 
including vehicle and air-traffic control systems [44, 120, 119, 68, 117, 27, 74, 72, 70, 43, 77], 
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communications [111, 112, 71, 73, 69, 29, 62, 116], and mobile robotics [78, 39, 40]. The TIOA 
framework has also been used as the foundation for describing and analyzing many timed dis- 
tributed algorithms, including algorithms for implementing atomic memory [82, 38, 41, 20], for 
synchronizing clocks [28, 30, 63, 61], and for implementing applications in mobile wireless net- 
works [26, 25, 96, 97, 16, 19]. Some of this work has involved development of new application- 
dependent structure in terms of TIOA; for instance, Nolte [96] defined concepts related to self- 
stabilization of wireless network algorithms. 


13 RELATED WORK 


There are several formalisms and tools for timed systems that are based on automata and state 
transition models. In this section, we briefly introduce those lines of work that we think are most 
closely related to ours. Note that we do not focus on the toolsets and their capabilities, but rather on 
the underlying formal models and languages. 

One of the widely used formal frameworks for timed systems is that of Alur-Dill timed 
automata [7, 5]. An Alur-Dill automaton is a finite directed multigraph augmented with a finite set 
of clock variables. The semantics of such a timed automaton are defined as a state transition system 
in which each state consists of a location and a clock valuation. Clocks are assumed to change with 
the same rate as real-time, that is, with rate 1. Timed automata accept timed languages consisting of 
sequences of events tagged with their occurrence times. The main technical result for timed automata 
is that emptiness and reachability are decidable. Decision problems such as universality and language 
inclusion are undecidable for timed automata. A slight generalization of Alur-Dill timed automata 
are the linear hybrid automata of [6]. In this model, apart from clocks that progress with rate 1, one 
can also use continuous variables whose derivatives are contained in some arbitrary interval. The 
reachability problem for linear hybrid automata is undecidable [6]. 

The aim of facilitating automated verification has motivated the restrictions on the expressive 
power in the Alur-Dill and linear hybrid automata models. Over the two last decades, numerous 
papers have refined the decidability boundary of [7, 5]; for instance, see [50, 64, 18, 13, 8, 118]. 
The timed automaton model presented in this book is much more expressive than the Alur-Dill and 
linear hybrid automata models. In our model, there are no finiteness assumptions and no restrictions 
imposed on the dynamic types of variables. Our focus has been to develop a general formal framework 
with a well-defined notion of external behavior, parallel composition and abstraction that supports 
reasoning with simulation relations. 

Uppaal [100, 66] is a widely used modeling and verification tool for timed systems. It supports 
the description of systems as a network of Alur-Dill timed automata and enhances that model with 
CCS-style communication [92] along with other notions such as committed and urgent locations. 
Uppaal also supports (synchronous) broadcast communication and communication via shared vari- 
ables. Uppaal has a sophisticated model-checker that explores the whole state space of the modeled 
system to verify timing properties. Therefore, finiteness assumptions are built into the model to 


6 1. INTRODUCTION 


make such verification possible and the operations on clocks are restricted. Uppaal can be used as a 
model-checker for restricted TIOAs. We have done some preliminary work in this direction [104]. 
A compositional simulation-based verification method for Uppaal was presented in [11] and 
is applied to the Zeroconf protocol in [10]. It would be interesting to work on an alternative com- 
positional semantics for (a subset of ) Uppaal based on some variation of our restricted hybrid I/O 
automaton model. There are several small mismatches due to the style of communication and notions 
such as committed locations. It remains to be seen to what extent we can use the communication 
mechanisms of our automata to model these formally. We could, for example, allow a nonempty set 
of external variables with restricted dynamic types and seek restrictions on the use of shared variables 
in Uppaal, which would allow us to view these variables as external variables in the HIOA sense. 
Recently, an extension of Uppaal with input and output actions, also called timed I/O automata, was 
proposed in [21] aiming at compositional design using the concepts of timed games [17]. 

Kronos [121, 22] is another verification tool for timed systems that uses Alur-Dill automata. 
This tool requires systems to be represented as timed automata and the correctness conditions to 
be expressed in the real-time temporal logic TCTL [4]. Kronos, as Uppaal, can perform model- 
checking using a symbolic representation of the infinite state space by sets of linear constraints. 
Kronos can model-check full TCTL and implements the symbolic algorithm developed by [46]. It 
would be possible to use Kronos as a model-checker for restricted TIOAs. 

The IF notation, which is the intermediate representation used in the IF toolset [15], is based 
on Alur-Dill automata extended with discrete data variables, communication primitives, dynamic 
process creation and destruction. This notation has been designed such that it can serve as a target for 
the translation of higher-level modeling languages, such as real-time extensions of SDL and UML. 
The support for dynamic process creation and destruction appears to be a distinguishing feature of 
the IF notation. 

A well-known model checking tool for linear hybrid automata (based on a semi-decision 
procedure) is HyTech [47]. The input language of HyTech can be translated into our TIOA model, 
to apply TIOA verification methods. Likewise, TIOAs whose continuous variables conform to the 
linearity conditions of HyTech could be verified using model-checking capabilities of HyTech. For 
an overview of verification tools for hybrid systems we refer to [99]. 

The timed I/O automaton modeling framework presented in this monograph can be used to 
express models that use lower and upper time bounds on tasks or actions [91, 88]. Our framework 
includes an operation for adding time bounds on a subset of the actions of a timed automaton. As 
a result of this operation, lower bounds are transformed to appropriate preconditions for transitions 
and upper bounds are transformed to stopping conditions for trajectories. 

An interesting timed automaton model called “Clock GTA ” was introduced in [23]. The 
model was used for describing algorithms that behave in accordance with their timing constraints in 
certain intervals but may exhibit timing failures for some other intervals. The possibility of expressing 
such an ability turns out to be crucial for performance and fault-tolerance analysis for practical 
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algorithms [23, 75]. We are interested in finding a systematic way of describing such behavior with 
our timed I/O automaton model. 


1.4 ORGANIZATION OF THE BOOK 


The rest of this book is organized as follows. Chapter 2 contains mathematical preliminaries. Chap- 
ter 3 defines notions that are useful for describing the behavior of timed systems, most importantly, 
trajectories and timed sequences. Chapter 4 defines timed automata (TAs), which contain all of the 
structure of TIOAs except for the classification of external actions as inputs or outputs. It also defines 
external behavior for TAs and implementation and simulation relationships between TAs. Chap- 
ter 5 presents composition and hiding operations for TAs, along with operations for adding bounds 
that relate TAs to other timed automaton models. Chapter 6 presents definitions and results on 
the classification of properties of TAs as safety and liveness properties. Chapter 7 defines timed I/O 
automata (TIOAs) by adding an input/output classification to TAs, and extends the theory of TAs to 
TIOAs. It also defines special kinds of TIOAs such as progressive and receptive TIOAs. Chapter 8 
presents compositionality results for TIOAs in general, and for the special classes of progressive and 
receptive TIOAs. Finally, Chapter 9 presents some conclusions and discusses future work. Examples 
are included throughout. 

An earlier edition of this book was published in 2006 [59]. In this second edition, some 
minor errors in the first edition have been corrected and some clarifications and references have been 
added. We have also included new material in Chapter 6 on properties, and several other results 
about composition. A still earlier version of the work appeared in [58]. 


CHAPTER 2 


Mathematical Preliminaries 


In this chapter, we give basic mathematical definitions and notation that will be used as a foundation 
for our definitions of timed automata and timed I/O automata. These definitions involve functions, 
sequences, partial orders, and untimed automata. Many readers might prefer to skip directly to 
Chapter 4, referring back to Chapters 2 and 3 as needed. 


2.1 FUNCTIONS AND RELATIONS 


If f is a function, then we denote the domain and range of f by dom( f) and range(f), respectively. 
If S is a set, then we write f [ S for the restriction of f to S, that is, the function g with dom(g) = 
dom(f) N S such that g(c) = f (c) for each c € dom(g). 

We say that two functions, f and g, are compatible if f [| dom(g) = g | dom(f). If f and g 
are compatible functions then we write f U g for the unique function h with dom(h) = dom( f) U 
dom(g) satisfying the condition: for each c € dom(h), if c € dom(f) then h(c) = f (c) and ifc € 
dom(g) then h(c) — g(c). More generally, if F is a set of pairwise compatible functions then we 
write | J F for the unique function A with dom(h) = ({dom(f) | f € F} satisfying the condition: 
for each f € F and c € dom( f), h(c) = f (c). 

If f is a function whose range is a set of functions and S is a set, then we write f | S for the 
function g with dom(g) = dom(f) such that g(c) = f (c) [ S for each c € dom(g). 

The restriction operation | is extended to sets of functions by pointwise extension. Also, if 
f is a function whose range is a set of functions, all of which have a particular element d in their 
domain, then we write f | d for the function g with dom(g) = dom(f) such that g(c) = f (c)(d) 
for each c € dom(g). 

We say that two functions, f and g, whose ranges are sets of functions are pointwise compatible 
if for each c € dom( f) N dom(g), f (c) and g(c) are compatible. If f and g have the same domain 
and are pointwise compatible, then we denote by f Ù g the function h with dom(h) = dom(f) such 
that h(c) = f (c) U g(c) for each c. 

A relation over sets X and Y is defined to be any subset of X x Y. If R is a relation, then 
we denote the domain and range of R by dom(R) and range(R), respectively. A relation over X 
and Y is zotal over X if dom(R) = X. If R is a relation over X and Y, and x € X, we define 
R(x) = {y € Y | (x, y) e R}. We say that a relation R over X and Y is image-finite if for each 
x € X, R(x) is finite. 


10 2. MATHEMATICAL PRELIMINARIES 
2.2 SEQUENCES 


Let S be any set. A sequence o over S is a function from a downward-closed subset of Z^? to S. 
Thus, the domain of a sequence is either the set of all positive integers, or is of the form (1, ..., k} 
for some k. In the first case, we say that the sequence is infinite, and in the second case finite. We use 
[c | to denote the cardinality of dom(o ). The sets of finite and infinite sequences over S are denoted 
by S* and S", respectively. Concatenation of a finite sequence p with a finite or infinite sequence o 
is denoted by p ^ ø. The empty sequence, that is the sequence with the empty domain, is denoted 
by 4. The sequence containing one element c € S is abbreviated as c. We say that a sequence o is 
a prefix of a sequence p, denoted by o < p, ifo = p [ dom(c). Thus, o < p if either o = p, oro 
is finite and p = o ^ o' for some sequence o”. If o is a nonempty sequence then bead (o) denotes 
the first element of o and zaz/(o) denotes o with its first element removed. Moreover, if o is finite, 
then /as£(o) denotes the last element of o and znzz(o) denotes o with its last element removed. Let 
c and o’ be sequences over S. Then o’ is a subsequence of o provided that there exists a monotone 
increasing function f : dom(o') — dom(o) such that o'(i) = o(f(i)) and f(i 4- 1) = fü) 41 
for all i € dom(o'). If 1 < jı < jo < |o|, then we define o (ji... j2) to be the subsequence of o 
obtained by extracting the elements in positions j1, ..., jo; that is, o” is the subsequence obtained 
from function f of length jo — jı + 1, where f (i) =i+ jı — 1 for alli € dom(o’). 


2.5 PARTIAL ORDERS 


We recall some basic definitions and results regarding partial orders, and in particular, complete 
partial orders (cpos) from [42, 45]. A partial order is a set S together with a binary relation E that is 
reflexive, antisymmetric, and transitive. In the sequel, we usually denote posets by the set S without 


explicit mention to the binary relation E. 

A subset P C S is bounded (above) if there is a c € S such that d E c for each d € P; in this 
case, c is an upper bound for P. A least upper bound (lub) for a subset P C S is an upper bound c for 
P such that c < d for every upper bound d for P. If P has a lub, then it is necessarily unique, and 
we denote it by | | P. A subset P C S is directed if every finite subset Q of P has an upper bound 
in P. A poset S is complete, and hence is a complete partial order (cpo) if every directed subset P of S 
has a lub in S. 

A finite or infinite sequence of elements, co c1 c2 . . ., of a partially ordered set (S, E) is called 


a chain if c; E cj 44 for each nonfinal index i. We define the /imit of the chain, lim;— o c;, to be the 
lub of the set (co, c1, c2, ...} if S contains such a bound; otherwise, the limit is undefined. Since a 
chain is a special case of a directed set, each chain of a cpo has a limit. 

A function f : S — S' between posets S and S' is monotone if f (c) C. f (d) whenever c E d. 
If f is monotone and P is a directed set, then the set f (P) = (f (c) | c € P) is directed as well. If 
f is monotone and f (| | P) = L] f (P) for every directed P, then f is said to be continuous. 

An element c of a cpo S is compact if, for every directed set P such that c C | | P, there is 
some d € P such that c C d. We define K (S) to be the set of compact elements of S. A cpo S is 
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algebraic if every c € S is the lub of the set (d € K (S) | d C c). A simple example of an algebraic cpo 


is the set of finite or infinite sequences over some given domain, equipped with the prefix ordering. 


Here the compact elements are the finite sequences. 


2.4 ABASIC GRAPH LEMMA 


We require the following lemma, a slight generalization of Kénig’s Lemma [60]. If G is a directed 
graph, then a root of G is defined to be a node with no incoming edges. 


Lemma2.1 = Let G be an infinite directed graph that satisfies the following properties. 
1. G has finitely many roots. 
2. Each node of G has finite outdegree. 
3. Each node of G is reachable from some root of G. 


Then, there is an infinite path in G starting from some root. 


Proof. An extension of the usual proof of Kénig’s Lemma [60]. 


CHAPTER 3 


Describing Timed System 


Behavior 


In this chapter, we give basic definitions that are useful for describing discrete and continuous 
changes to the system’s state. The key notions are static and dynamic types for variables, trajectories, 
and hybrid sequences. Most of the material in this chapter comes from the paper on the HIOA 
modeling framework [79]. The reader is referred to [79] for the proofs that are not included here. 
Again, the reader might prefer to skip directly to Chapter 4 and refer back to this chapter as needed. 


3.1 TIME 


Throughout this monograph, we fix a time axis T, which is a subgroup of (R, +), the real numbers 
with addition. We assume that every infinite, monotone, bounded sequence of elements of T has 
a limit in T. The reader may find it convenient to think of T as the set R of real numbers, but 
the set Z of integers and the singleton set {0} are also examples of allowed time axes. We define 
T2935 (teT|t> 0}. 

An interval J is a nonempty, convex subset of T. We denote intervals as usual: [t1, f2] = {t € 
Tilt <t<h},[h,%) ={teT|t € t < t}, etc. An interval J is /eft-closed (right-closed) if it has 
a minimum (resp., maximum) element, and /ef?-open ( right-open) otherwise. It is closed if it is both 
left-closed and right-closed. We write min(J) and max(J) for the minimum and maximum elements, 
respectively, of an interval J (if they exist), and inf (J) and sup(J) for the infimum and supremum, 
respectively, of J in RU {—00, oo}. For K C T and t € T, we define K + t Rag sre 
Similarly, for a function f with domain K, we define f + t to be the function with domain K + t 
satisfying, for each t € K +t, (f +) (£n) = f(t’ — f. 

In some definitions and theorems in the monograph where we use R as the time domain, we 
assume that the relation < on R extends to a relation on R U {co} such that oo < oo and for all 
tER,t «oo. 


3.2 STATIC AND DYNAMIC TYPES 


We assume a universal set V of variables. A variable represents a location within the state of a system. 
For each variable v, we assume both a (static) type, which gives the set of values it may take on, and 
a dynamic type, which gives the set of trajectories it may follow. Formally, for each variable v we 
assume the following: 
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* type(v), the (static) type of v. This is a nonempty set of values. 


e dtype(v), the dynamic type of v. This is a set of functions from left-closed intervals of T to 
£ype(v) that satisfies the following properties: 


1. (Closure under time shift) 
For each f € dtype(v) and t € T, f +t € dtype(v). 


2. (Closure under subinterval) 
For each f € dtype(v) and each left-closed interval J C dom(f), f [ J € dtype(v). 


3. (Closure under pasting) 
Let fo fi f2, ... bea sequence of functions in dtype(v) such that, for each nonfinal index 
i, dom( fi) is right-closed and max(dom( f;)) = min(dom( f; .1)). Then the function f 
defined by f (t) E fi (t), where i is the smallest index such thatt € dom( fi), isin dtype(v). 


Example 3.1 (Discrete variables). Let v be any variable and let Constant be the set of constant 
functions from a left-closed interval of T to ¢ype(v). Then Constant is closed under time shift and 
subinterval. If the dynamic type of v is obtained by closing Constant under the pasting operation, 
then v is called a discrete variable. This is essentially the same as the definition of a discrete variable 


in [88]. 


Example3.2 (Analog variables). Assume that T — R. Let v be any variable whose static type is 
an interval of R and Continuous be the set of continuous functions from a left-closed interval of 
T to type(v). Then Continuous is closed under time shift and subinterval. If the dynamic type of v 
is obtained by closing Continuous under the pasting operation, then v is called an analog variable. 
Figure 3.1 shows an example of a function f in the dynamic type of an analog variable. Function f is 
defined on the interval [0, 4) and is obtained by pasting together four pieces. At the boundary points 
between these pieces, f takes the value specified by the leftmost piece, which makes f continuous 
from the left. Note that f is undefined at time 4. Also note that, in a setting with T = R, a real-valued 
discrete variable is a special kind of analog variable as constant functions are also continuous. 


Example3.3 (Standard real-valued function classes). If we take T = R and £ype(v) = R, then other 
examples of dynamic types can be obtained by taking the pasting closure of standard function classes 
from real analysis, the set of differentiable functions, the set of functions that are differentiable k times 
(for any k), the set of smooth functions, the set of integrable functions, the set of L? functions (for 
any p), the set of measurable locally essentially bounded functions [113], or the set of all functions. 


Standard function classes are closed under time shift and subinterval, but not under pasting. 
A natural way of defining a dynamic type is as the pasting closure of a class of functions that is closed 
under time shift and subinterval. In such a case, it follows that the new class is closed under all three 
operations. 
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Figure 3.1: Example of a function in the dynamic type of an analog variable. 


3.3 TRAJECTORIES 


In this section, we define the notion of a ¢rajectory, define operations on trajectories, and prove 
simple properties of trajectories and their operations. A trajectory is used to model the evolution of 
a collection of variables over an interval of time. 


3.3.1 BASIC DEFINITIONS 


Let V be a set of variables, that is, a subset of V. A valuation v for V is a function that associates 
with each variable v € V a value in ¢ype(v). We write va/ (V) for the set of valuations for V. Let J 
be a left-closed interval of T with left endpoint equal to 0. Then a J-¢rajectory for V is a function 
t: J — val (V), such that for each v € V, v | v € dtype(v). A trajectory for V isa J-trajectory for 
V, for any J. We write £rajs(V ) for the set of all trajectories for V. If Q is a set of valuations for 
some set V of variables, we write ¢rajs(Q) for the set of all trajectories whose range is a subset of Q. 

A trajectory for V where V = Ø is simply a function from a time interval to the special function 
with the empty domain. Thus, the only interesting information represented by such a trajectory is 
the length of the time interval that constitutes the domain of the trajectory. We use trajectories over 
the empty set of variables when we wish to capture the amount of time-passage but abstract away 
the evolution of variables. 
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A trajectory for V with domain [0, 0] is called a oin trajectory for V. If v is a valuation for 
V then p (v) denotes the point trajectory for V that maps 0 to v. We say that a J-trajectory is finite 
if J is a finite interval, c/osed if J is a (finite) closed interval, open if J is a right-open interval, and 
full if J — T?9. I£ T is a set of trajectories, then finite(T), closed (T), open(T), and full (T) denote 
the subsets of T consisting of all the finite, closed, open, and full trajectories in T, respectively. 

If t is a trajectory then t./time, the Jimit time of t, is the supremum of dom(t). We define 
t fual, the first valuation of t, to be v (0), and if t is closed, we define t./va/, the last valuation of v, 
to be t(t./time). For t a trajectory and t € TZ? we define 


tat $5 c[[0,t], 
tat = c[[0,2), 
ror = (r[[t o0) - t. 


Note that, since dynamic types are closed under time shift and subintervals, the result of applying the 
above operations is always a trajectory, except when the result is a function with an empty domain. 


. . A A 
By convention, we also write T Xl oo = T and t «100 =T. 


3.3.2 PREFIX ORDERING 


Trajectory T is a prefix of trajectory v, denoted by t < v, if t can be obtained by restricting v to 
a subset of its domain. Formally, if t and v are trajectories for V, then t < v iff t = v [ dom(r). 
Alternatively, t < v iff there exists a t € T=? U {oo} such that tr —vsxitorr—vc«t.Ifr xv 
then clearly dom(t) C dom(v). If T is a set of trajectories for V, then pref (T) denotes the prefix 
closure of T , defined by: 


pref(T) = (cemas(V)|3v e T:c < v). 


We say that T is prefix closed if T = pref (T). 
The following lemma gives a simple domain-theoretic characterization of the set of trajectories 
over a given set V of variables. 


Lemma3.4 Let V be a set of variables. The set trajs(V ) of trajectories for V , together with the prefix 
ordering <, is an algebraic cpo. Its compact elements are the closed trajectories. In fact, each element of the 
cpo is tbe limit of a chain of compact elements. 


We say that a set P of trajectories is closed under limits if the limit of each chain of elements 
of P is contained in P. 


3.3.3 CONCATENATION 


The concatenation of two trajectories is obtained by taking the union of the first trajectory and the 
function obtained by shifting the domain of the second trajectory until the start time agrees with the 
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limit time of the first trajectory; the last valuation of the first trajectory, which may not be the same 
as the first valuation of the second trajectory, is the one that appears in the concatenation. Formally, 
suppose T and 1’ are trajectories for V, with t closed. Then the concatenation t ^ t’ is the function 
given by 


tor! È cU( [(0,o0) + time). 


Because dynamic types are closed under time shift and pasting, it follows that t © T’ is a trajectory 
for V. Observe that t ^ t’ is finite (resp., closed, full) if and only if t’ is finite (resp., closed, full). 
Observe also that concatenation is associative. 

The following lemma, which is easy to prove, shows the close connection between concate- 
nation and the prefix ordering. 


Lemma3.5 Lett and v be trajectories for V with v closed. Then 


ew Jf 


t«v & Hr:v-rc^r. 


Note that if t < v, then the trajectory t’ such that v = t ^ t’ has an arbitrary value for t’.fual 
and the remainder of the trajectory is unique. Note also that the “=” implication in Lemma 3.5 
would not hold if the first valuation of the second argument, rather than the last valuation of the 
first argument, were used in the concatenation. 

We extend the definition of concatenation to any (finite or countably infinite) number of 
arguments. Let To T1 12... be a (finite or infinite) sequence of trajectories such that t; is closed for 


each nonfinal index i. Define trajectories 1), tj, T3, . . . inductively by 
/ ^ 
To — TO, 
A pea n 
tua = q^ t4 for nonfinal i. 


Lemma 3.5 implies that for each nonfinal i, t/ < v; +1: We define the concatenation to ^ t ^ t2 -- 
to be the limit of the chain To» Tj, T}, .. .; existence of this limit follows from Lemma 3.4. 


3.4 HYBRID SEQUENCES 


In this section, we introduce the notion of a hybrid sequence, which is used to model a combination of 
changes that occur instantaneously and changes that occur over intervals of time. Our definition is 
parameterized by a set A of actions, which are used to model instantaneous changes and instantaneous 
synchronizations with the environment, and a set V of variables, which are used to model changes 
over intervals of time. We also define some special kinds of hybrid sequences and some operations 
on hybrid sequences, and give basic properties. 
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3.4.1 BASIC DEFINITIONS 


Fix a set A of actions and a set V of variables. An (A, V)-sequence is a finite or infinite alternating 
sequence @ = To 41 T1 42 T2 . . ., where: 


1. each 7; is a trajectory in żrajs(V ); 

2. each aj is an action in A; 

3. if @ is a finite sequence then it ends with a trajectory; and 
4. if rj is not the last trajectory in o then 7; is closed. 


We write S(A, V) to denote the set of (A, V)-sequences. A hybrid sequence is an (A, V)-sequence 
for some A and V. 

Since the trajectories, in a hybrid sequence can be point trajectories, our notion of hybrid 
sequence allows a sequence of discrete actions to occur at the same real time, with corresponding 
changes of variable values. An alternative approach is described in [102], where state changes at a 
single real time are modeled using a notion of "superdense time". Specifically, hybrid behavior is 
modeled in [102] using functions from an extended time domain, which includes countably many 
elements for each real time, to states. 

If o is a hybrid sequence, with notation as above, then we define the /imit time of a, a./time, 
to be J`; t;./time. A hybrid sequence o is defined to be: 


* time-bounded if a./time is finite. 


admissible if a.ltime = oo. 


closed if æ is a finite sequence and its final trajectory is closed. 


open if o is a finite sequence and its final trajectory is open. 


Zeno if a is neither closed nor admissible, that is, if œ is time-bounded and is either open or 
an infinite sequence. 


* nonZeno if a is not Zeno. 


We write A(A, V) and C(A, V) to denote the sets of admissible and closed (A, V)-sequences, 
respectively. Figure 3.2 illustrates the classification of hybrid sequences. Observe that finite admissible 
hybrid sequences are always open, and infinite time-bounded sequences are always Zeno. Finite time- 
bounded sequences can be either closed or Zeno and open. For any hybrid sequence o, we define 
the first valuation of a, a.fual, to be head (a).fval. Also, if œ is closed, we define the /ast valuation of 
a, a./val, to be dast(a)./val, that is, the last valuation in the final trajectory of o. 

Ifø is a closed (A, V)-sequence, where V = f and B € £rajs(), we calla ^ B a time-extension 
of a. 


3.4. HYBRID SEQUENCES 19 


time—bounded admissible 


closed 


finite open 


open Zeno 


infinite Zeno 


Figure 3.2: Classification of hybrid sequences. 


3.4.2 PREFIX ORDERING 


We say that (A, V)-sequence œ = To a1 T1 ... is a prefix of (A, V)-sequence B = vo bj vui ..., de- 
noted by a < B, provided that (at least) one of the following holds: 


1. a — f. 


2. æ is a finite sequence ending in some Tg; t; = vj and aj41 = bi+1 for every i, 0 € i < k; and 
Tk X Uk. 


Like the set of trajectories over V, the set of (A, V)-sequences is an algebraic cpo: 


Lemma3.6 = Let V be a set of variables and A a set of actions. The set of (A, V )-sequences, together with 
the prefix ordering <, is an algebraic cpo. Its compact elements are the closed (A, V )-sequences. In fact, each 
element of the cpo is the limit of a chain of compact elements. 


We say that a set P of (A, V)-sequences is closed under limits if the limit of each chain of 
elements of P is contained in P. Set P is closed under time-bounded limits if, for each chain of elements 
of P with a limit o that is time-bounded, o is contained in P. In a similar way, we define closure 
under admissible limits, finite limits, Zeno limits, etc. 


20 3. DESCRIBING TIMED SYSTEM BEHAVIOR 
3.4.5 CONCATENATION 


Suppose o and o' are (A, V)-sequences with o closed. Then the concatenation ot ^ o is the (A, V)- 
sequence given by 


aa’ SX init(o) (last(a) ^ bead (o) tail (a). 
(Here, init, last, head, and fail are ordinary sequence operations.) 
Lemma3.7 Let a and B be (A, V)-sequences with a closed. Then 
a<B e Fa':p=a~ a. 


Note that if < f, then the (A, V)-sequence a’ such that B = a ^ o' is unique except that it has 
q q P 


an arbitrary value in val (V) for a’ .fval. 

As we did for trajectories, we extend the concatenation definition for (A, V)-sequences to 
any finite or infinite number of arguments. Let ag a ... be a finite or infinite sequence of (A, V)- 
sequences such that o; is closed for each nonfinal index i. Define (A, V)-sequences a, o, ... 
inductively by 


/ 
Qo «o, 


lle me 


O44 a; ^ aj+1 for nonfinal i. 


Lemma 3.7 implies that for each nonfinal i, a; < a;,,. We define the concatenation œo ^ a +++ to 


ictl* 
be the limit of the chain o, œ}, . . .; existence of this limit is ensured by Lemma 3.6. 


3.4.4 RESTRICTION 


Let A and A’ be sets of actions and let V and V’ be sets of variables. The (A’, V’)-restriction of 
an (A, V)-sequence o, denoted by o [(A’, V^), is obtained by first projecting all trajectories of o 
on the variables in V’, then removing the actions not in A’, and finally concatenating all adjacent 
trajectories. Formally, we define the (A’, V’)-restriction first for closed (A, V)-sequences and then 
extend the definition to arbitrary (A, V)-sequences using a limit construction. The definition for 
closed (A, V)-sequences is by induction on the length of those sequences: 


t[(A4, V) = tJ V’ ift isa single trajectory, 
| (a [(A^, Valt} V) ifae A’, 


«at|(A, V) = (o [CA', V)) ^ (t | V’) otherwise. 


Itis easy to see that the restriction operator is monotone on the set of closed (A, V)-sequences. 
Hence, if we apply this operation to a directed set, the result is again a directed set. Together with 
Lemma 3.6, this allows us to extend the definition of restriction to arbitrary (A, V)-sequences by: 


«[(A, V) = utB[(A', V^) | B isa closed prefix of a}. 


3.4. HYBRID SEQUENCES 


The next four lemmas state some basic properties of the restriction operation. 


Lemma3.8  (A', V)-restriction is a continuous operation. 
Lemma3.9 (o9 ^0, ^---)[(A, V) = ao [(A, V) ^ a1[(A, V) ^ ... 
Lemma3.10 (a [(A, V) [CA', V) =a[(AN A', V n V^. 


Lemma3.11 Leta be a hybrid sequence, A a set of actions and V a set of variables. 
1. a is time-bounded if and only if a [(A, V) is time-bounded. 
2. a is admissible if and only if à [(A, V) is admissible. 
3. Ifa is closed then a [(A, V) is closed. 


4. Ifa is nonZeno then a | (A, V) is nonZeno. 


Example3.12 (A Zeno execution with a closed (A, V)-restriction). In order to understand why 
in Lemma 3.11 we have an implication in only one direction in items 3 and 4, consider the Zeno 
sequence o of the form (v) a (v) a (v) .... Let A bea set such that a ¢ A and let V consist 
of the variables in dom(v). Obviously, œ [(A, V), which is g (v), is closed, and hence also nonZeno. 
This shows that the fact that o [(A, V) is closed (resp., nonZeno) does not imply that o is closed 
(resp., nonZeno). 
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CHAPTER 4 


Timed Automata 


In this chapter, as a preliminary step toward defining timed I/O automata, we define a slightly more 
general timed automaton model. In timed automata, actions are classified as external or internal, but 
external actions are not further classified as input or output; the input/output distinction is added 
in Chapter 7. We define how timed automata execute and define implementation and simulation 
relations between timed automata. 
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A timed automaton is a state machine whose states are divided into variables, and that has a set of 
discrete actions, some of which may be internal and some external. The state of a timed automaton 
may change in two ways: by discrete transitions, which change the state atomically, and by ¢rajectories, 
which describe the evolution of the state over intervals of time. The discrete transitions are labeled 
with actions; this will allow us to synchronize the transitions of different timed automata when we 
compose them in parallel. The evolution described by a trajectory may be described by continuous 
or discontinuous functions. 
Formally, a timed automaton (TA) A = (X, Q, ©, E, H, D, T) consists of: 


* A set X of internal variables. 
* A set Q C val(X) of states. 
* A nonempty set © C Q of start states. 


* A set E of external actions and a set H of internal actions, disjoint from each other. 
We write A= EUH. 


* Aset D C Q x A x Q of discrete transitions. 
a . 
We use x — 4 x’ as shorthand for (x, a,x’) € D. Here and elsewhere, we sometimes drop the 
à . a . 
subscript and write x — x’, when we think A should be clear from the context. We say that 


. . è a . . . . 
a is enabled in x if x — x’ for some x’. We say that a set C of actions is enabled in a state x if 
some action in C is enabled in x. 


e Aset 7 C ¢rajs(Q) of trajectories. Given a trajectory tT € 7 we denote r.fval by t.fstate and, if 


T is closed, we denote t./val by v./state. When t.fstate = x and t./state = x', we write x ax. 
We require that the following axioms hold: 
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TO (Existence of point trajectories) 
Ifx e Q then p(x) € 7. 


T1 (Prefix closure) 
For every t € 7 and every v < t,t € T. 


T2 (Suffix closure) 
For every t € 7 and every t € dom(t), v P t e T. 


T3 (Concatenation closure) 
Let To T1 T2 ... be a sequence of trajectories in 7 such that, for each nonfinal index i, v; 
is closed and rj ./state = 1;+1.fstate. Then 19 ~ x1 ~ 72: € T. 


A timed automaton is essentially a hybrid automaton in the sense of [79] in which W, the set of 
external variables, is empty. Apart from that, the only difference is the addition of Axiom T0, a small 
restriction that does not affect any of the results of [79] but that we need to prove Theorem 8.8. 
Axioms T1-3 express some natural further conditions on the set of trajectories that we need to 
construct our theory. A key part of this theory is a parallel composition operation for timed automata. 
In a composed system, any trajectory of any component automaton may be interrupted at any time 
by a discrete transition of another (possibly independent) component automaton. Axiom T1 ensures 
that the part of the trajectory up to the discrete transition is a trajectory, and Axiom T2 ensures that 
the remainder is a trajectory. Axiom T3 is required because the environment of a timed automaton, 
as a result of its own internal discrete transitions, may change its dynamics repeatedly, and the 
automaton must be able to follow this behavior. Axiom T3 implies that the set T of trajectories is 
closed under limits. 

Our definition of a timed automaton differs from previous definitions of timed automata [86, 
107] in two major respects. First, the states are structured using variables, which have dynamic 
types with specific closure properties. The variable structure is convenient for writing specifications 
and the dynamic types are useful in analyzing continuous evolution of the state. Second, the set of 
trajectories is defined as an explicit component of an automaton. In the previous definitions, time- 
passage was represented by special time-passage actions and trajectories were defined implicitly, as 
auxiliary functions describing the effects of time-passage actions on states. 


Notation: We often denote the components of a TA A by X 4, Q 4, O 4, E 4, etc., and the compo- 
nents of a TA A; by Xi, Qi, Oj, Ei, etc. We sometimes omit these subscripts, where no confusion 
seems likely. For example, we typically specify sets of trajectories using differential and algebraic 
equations and inclusions. Below, we explain a few notational conventions that help us in doing 
this. Suppose the time domain T is R, c is a (fixed) trajectory over some set of variables V, and 
v € V. With some abuse of notation, we use the variable name v to denote the function t | v 
in dom(t) — type(v), which gives the value of v at all times during trajectory t. That is, for all 
t € dom(t), we have v(t) = (t | v)(t) = v(t)(v). Similarly, we view any expression e containing 
variables from V as a function with domain dom(t). Suppose that v is a variable and e is a real- 
valued expression containing variables from V. Using these conventions we can say, for example, 
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that t satisfies the algebraic equation 
U= ë 


which means that, for every t € dom(t), v(t) = e(t), that is, the constraint on the variables expressed 
by the equation v = e holds for each state on trajectory t. Now suppose also that e, when viewed as 
a function, is integrable. Then we say that r satisfies 


d(v) = e 


if, for every t € dom(rt), v(t) = v(0) + Js e(t’)dt’. Equivalently, for every t1, t2 € dom(t) such that 
ti < fo, v(t) = v(ti) + Ifa e(t')dt'. Note that this interpretation of the differential equation makes 
sense even at points where v is not differentiable. A similar interpretation of differential equations 
is used by Polderman and Willems [103], who call functions defined in this way “weak solutions". 

We generalize this notation to handle inequalities as well as equalities. Suppose that v is a 
variable and e is a real-valued expression containing variables from V. The inequality 


e < v 


means that, for every t € dom(T), e(t) < v(t). That is, the constraint expressed by the inequality 
e < v holds for each state of trajectory v. Similarly, the inequality 


v X e 


means that, for every t € dom(1), v(t) < e(t). Now suppose that e is integrable when viewed as a 
function. Then we say that T satisfies 


e x d(v) 

if, for every t1, t2 € dom(T) such that 1 < t2, v(t) + d e(t)dt' < v(t), and T satisfies 
d(v) < e 

if, for every t1, t2 € dom(r) such that fj < t2, v(t2) € v(t1) + rs e(t’)dt’. 


Conventions for automata specifications: In all the examples of this monograph we assume the 
time axis T to be R and specify timed automata by using a variant of the TIOA language presented 
in [93, 55, 32, 33]. 

An automaton specification consists of four main parts: a signature, which lists the actions 
along with their kinds (external or internal), and parameter types, a state variables list, which de- 
clares the names and types of state variables, a collection of transition definitions and a trajectories 
definition. 

Unless specified otherwise, the set of states of an automaton equals the set of all valuations 
of its state variables. Static types of variables are always declared explicitly in the state variables list. 
For example, we write v:t for a variable v of static type t. Moreover, a variable can be initialized 
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to a specific value allowed by its type. For example, in order to initialize the variable v above to 
the value val, we write v:t := val. If no initial value is specified it is assumed to be arbitrary. 
The state variables list in an automaton specification can be followed by an initially clause, which 
consists of a predicate that constrains the automaton parameters and initial values of state variables. 
All of the static types used in the examples have standard interpretations, except possibly for the 
type AugmentedReal, which denotes R U {oo}. 

The dynamic types of variables are specified implicitly. By default, variables of type Real 
are assumed to be analog and variables of types other than Real are assumed to be discrete. The 
definition of what it means for a variable to be discrete or analog is given in Examples 3.1 and 3.2. 
The keyword discrete is used to qualify a discrete variable of type Real. Although timed automata 
may contain variables that are neither discrete nor analog, none of our examples use such variables. 

The transitions are specified in precondition-effect style. A pre clause specifies the enabling 
condition for an action. An eff clause contains a list of statements that specify the effect of performing 
that action on the state. All the statements in an effect clause are assumed to be executed sequentially 
in a single indivisible step. The absence of a specified precondition for an action means that the action 
is always enabled and the absence of a specified effect means that performing the action does not 
change the state. 

The trajectories are specified using a combination of algebraic and differential equations and 
inequalities, and stopping conditions. A trajectory belongs to the set of legal trajectories of an 
automaton if it satisfies the stopping condition expressed by the stop when clause, and the equations 
or inequalities in the evolve clause. The stopping condition is satisfied by a trajectory if the only state 
in which the condition holds (if any) is the last state of that trajectory. That is, time cannot advance 
beyond the point where the stopping condition is true. The evolve clause specifies the algebraic and 
differential equations that must be satisfied by the trajectories. We write d(v) = e for d(v) =e, 
d(v) < e for d(v) < e and e < d(v) for e < d(v). We assume that the evolution of each variable 
follows a continuous function throughout a trajectory. This implies that the value of a discrete variable 
is constant throughout a trajectory: time-passage does not change the value of discrete variables. 


Example 4.1 (Time-bounded channel). The automaton TimedChannel in Fig. 4.1 is the specifica- 
tion of a reliable FIFO channel that delivers its messages within a certain time bound, represented 
by the automaton parameter b of type Real which is nonnegative. The other automaton parameter 
M is an arbitrary type parameter that represents the type of messages communicated by the channel. 


The variable queue is used to hold a sequence of pairs consisting of a message that has 
been sent and its delivery deadline. The variable now is used to describe real time. Every send (m) 
transition adds to the queue a new pair whose first component is m and whose second component is 
the deadline now + b. A receive(m) transition can occur only when m is the first message in the 
queue and it results in the removal of the first message from the queue. 

The trajectory specification shows that the variable now increases with rate 1, that is, at the 
same rate as real time. The stopping condition implies that, within a trajectory, time cannot pass 
beyond the point where now becomes equal to the delivery deadline of some message in the queue. 
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automaton TimedChannel(b: Real, M: Type) where b > 0 
type Packet — tuple of message: M, deadline: Real 
signature 
external send(m: M), receive(m: M) 


states 
queue: Queue[Packet] :— {}, 
now: Real :— O 


transitions 
external send(m) 


eff 
queue :— append([m,now-*b],queue) 
external receive(m) 
pre 
head(queue).message — m 
eff 
queue :— tail(queue) 


trajectories 
stop when 
dp: Packet p € queue ^ (now — p.deadline) 
evolve 
d(now) — 1 


Figure 4.1: Time-bounded channel. 


Example 4.2 (Periodic sending process). The automaton PeriodicSend in Fig. 4.2 is the specifi- 
cation of a process that sends messages periodically, every u time units, where u is an automaton 
parameter of type Real which is nonnegative. The type parameter M represents the type of the 
messages sent by the process. 

The analog variable clock is a timer whose value records the amount of time that has elapsed 
since it was last reset to 0. A send(m) transition can occur only when clock = u, and it causes 
clock to be reset. The trajectory specification says that clock increases at the same rate as real time 
and time cannot pass beyond the point where clock - u. 


Example4.3 (Periodic sending process with failures). T'he specification ofthe PeriodicSend process 
from Example 4.2 does not model failures. We now consider a variant of PeriodicSend where the 
process may fail and stop doing any discrete actions. The specification of this new automaton is 
given in Fig. 4.3. 

The discrete variable failed in automaton PeriodicSend2 is a boolean flag that records 
whether the process is failed. It is initialized to false and is set to true when a fail action occurs. 
The trajectory specification of PeriodicSend2 shows that time can advance without any bound when 
the process is failed. 
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automaton PeriodicSend(u: Real, M: Type) where u > 0 
signature 
external send(m: M) 
states 
clock: Real := 0 
transitions 
external send(m) 
pre 
clock — u 
eff 
clock <= 0 
trajectories 
stop when 
clock =u 
evolve 
d(clock) = 1 


Figure 4.2: Periodic sending process. 


Example 4.4 (Timeout process). The automaton Timeout in Fig. 4.4 is the specification of a process 
that awaits the receipt of a message from another process. If u time units elapse without such a 
message arriving, Timeout performs a timeout action, thereby “suspecting” the other process. When 
a message arrives it “unsuspects” the other process. Timeout may suspect and unsuspect repeatedly. 

The discrete variable suspected is a flag that shows whether Timeout suspects that the other 
process is failed. The variable clock is a timer that records the amount of time that has elapsed 
since the receipt of the last message. A receive (m) transition can occur at any time; this causes the 
variable clock to be reset and the flag suspected to be set to false. If clock reaches u before 
the arrival of a message then the timeout action becomes enabled. The process sets suspected to 
true as aresult of a timeout. 

The trajectory specification shows that clock increases at the same rate as real time and, 
if suspected = false, then time cannot go beyond the point where clock = u. Note that if 
suspected = true, there is no restriction on the amount of time that can elapse. 


Example 4.5 — (Fischer's algorithm). The timed automaton FischerME presented in Figs. 4.5 and 
4.6 is the specification of a shared memory mutual exclusion algorithm which uses a single shared 
variable that can be read and written by all the participants. We fix here the number of participants 
to be four, by defining Index to be an enumeration consisting of four elements. Note, however, that 
this specification can be generalized to any finite number of participants. 

The automaton parameters u_set and 1_check represent upper and lower time bounds for 
the set (i) and check(i) actions respectively. We assume that u_set < 1_check. 
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automaton PeriodicSend2(u: Real, M: Type) where u > 0 
signature 
external send(m: M), fail 


states 
failed: Bool := false, 
clock: Real := 0 


transitions 
external send(m) 
pre 
—^failed A clock =u 
eff 
clock := 0 
external fail 
eff 
failed := true 
trajectories 
stop when 
—^failed A clock =u 
evolve 
d(clock) = 1 


Figure 4.3: Periodic sending process with failures. 


The shared variable x can be assigned any value of type Index plus one additional special 
value nil. If a process is in the critical region, then the variable x contains the index of that process. 
If all users are in the remainder region, then the variable x contains the value nil. The array variable 
pc records the program counters of all processes. The array variable lastset keeps track of the 
deadlines by which the processes’ set actions must occur. Similarly, the array variable firstcheck 
keeps track of the earliest time the processes' check actions may occur. The analog variable now 
models real time. 

The transition definitions for external actions try (i), crit(i), exit (i), and rem(i) are 
straightforward. When a process performs one of these actions, its program counter is updated to 
record the region entered by the process. The most interesting transition definitions are test (i), 
set (i), and check(i) since they are the ones that involve timing constraints of the algorithm. 
When a process i performs a test action and observes x to be nil, it sets lastset [i] to now + 
u_set. This sets the deadline for the performance of the set (i) action. Note that this deadline 
is enforced through the stopping condition in the trajectory specification. The transition set (i) 
sets firstcheck[i] to now + 1_check. The value of firstcheck [i] determines the earliest time 
check(i) may occur. The check (i) action is enabled only when the current time has at least this 
value. 
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automaton Timeout(u: Real, M: Type) where u > 0 
signature 
external receive(m: M), timeout 


states 
suspected: Bool :— false, 
clock: Real := 0 


transitions 
external receive(m) 
eff 
clock t= 0; 
suspected := false 
external timeout 
pre 
—^suspected A clock =u 
eff 
suspected := true 
trajectories 
stop when 
clock = u and suspected 
evolve 
d(clock) =1 


Figure 4.4: Timeout. 


The stopping condition implies that if the value of now reaches the value of lastset [i] for 
some process i at some point in time, then that point must be the limit time of the trajectory. 


Example 4.6 (Clock synchronization). The automaton ClockSync(u,r:Real, i: Index) in Fig. 4.7 
is the specification of a single process in a clock synchronization algorithm. Each process has a 
physical clock and generates a logical clock. The goal of the algorithm is to achieve “agreement” and 
“validity” among the logical clock values. Agreement means that the logical clocks are close to one 
another. Validity means that the logical clocks are within the range of the physical clocks. 

The algorithm is based on the exchange of physical clock values between different pro- 
cesses in the system. The parameter u determines the frequency of sending messages. Processes 
in the system are indexed by the elements of the type Index which we assume to be pre-defined. 
ClockSync(u,r:Real, i: Index) has a physical clock physclock, which may drift from the real time 
with a drift rate bounded by r. It uses the variable maxother to keep track of the largest physical 
clock value of the other processes in the system. The variable nextsend records when it is sup- 
posed to send its physical clock to the other processes. The logical clock, logclock, is defined to 
be the maximum of maxother and physclock. Formally logclock is a derived variable, which is 
a function whose value is defined in terms of the state variables. 
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type Index = enumeration of pi, p2, p3, p4 


type PcValue — enumeration of rem, test, set, check, 
leavetry, crit, reset, leaveexit 


automaton FischerME(u set, 1l check: Real) 
where u_set > 0 A 1l check > 0 A u set < 1l. check 
signature 
external try(i:Index), crit(i:Index), exit(i:Index), rem(i: Index) 
internal test(i:Index), set(i:Index), 
check(i:Index), reset(i:Index) 


states 
x: Null[Index] := nil, 
pc: Array[Index,PcValue] := constant(rem), 
lastset: Array[Index,discrete AugmentedReal] := constant(infty), 
firstcheck: Array[Index,discrete AugmentedReal] := constant (0), 
now: Real := 0 


Figure 4.5: Fischer’s mutual exclusion algorithm: signature and states. 


A send(m,i) transition is enabled when m = physclock and nextsend = physclock. 
It causes the value of nextsend to be updated so that the next send can occur when physclock 
has advanced by u time units. The transition definition for receive(m, j,i) specifies the effect of 
receiving a message from another process j in the system. Upon the receipt of a message m from 
j, i sets maxother to the maximum of m and the current value of maxother, thereby updating its 
knowledge of the largest physical clock value of other processes in the system. 

The trajectory specification is slightly different from that in the previous examples. In this 
example, the analog variable physclock does not change at the same rate as real time but it drifts 
with a rate that is bounded by r. The periodic sending of physical clocks to other processes is enforced 
through the stopping condition in the trajectory specification. Time is not allowed to pass beyond 
the point where physclock = nextsend. 


4.2 EXECUTIONS AND TRACES 


We now define execution fragments, executions, trace fragments, and traces, which are used to 
describe automaton behavior. An execution fragment of a timed automaton A is an (A, V)-sequence 
a = To 41 T dz T2..., where (1) each rj is a trajectory in 7, and (2) if vj is not the last trajectory in 


di4l . : 3 
a then t;./state > 1)+1.fstate. An execution fragment records what happens during a particular run 


32 4. TIMED AUTOMATA 


transitions 


external try(i) external crit(i) 
pre pre 
peli] = rem peli] = leavetry 
eff eff 
peli] := test peli] := erit 
internal test (i) external exit(i) 
pre pre 
peli] = test peli] = crit 
eff eff 
if x = nil then peli] := reset 
peli] := set; 
lastset[i] := now + u_set 
internal set(i) internal reset (i) 
pre pre 
peli] = set peli] = reset 
eff eff 
x :— embed(i); x :— nil; 
peli] :— check; peli] := leaveexit 
lastset[i] := infty; 
firstcheck[i] := now + l_check 
internal check(i) external rem(i) 
pre pre 
peli] = check A peli] = leaveexit 
now > firstcheck [i] eff 
eff peli] := rem 
if x = embed(i) then pc[i] := leavetry 
else pc[i] := test 


trajectories 
stop when 
di: Index now = lastset [il] 
evolve 
d(now) = 1 


Figure 4.6: Fischer’s mutual exclusion algorithm: transitions and trajectory definitions. 


of a system, including all the instantaneous, discrete state changes and all the changes to the state 
that occur while time advances. We write frags , for the set of all execution fragments of A. 

If o is an execution fragment, with notation as above, then we define the first state of a, 
a.fstate, to be a.fual. An execution fragment of a timed automaton A from a state x of A is an 
execution fragment of A whose first state is x. We write frags A(x) for the set of execution fragments 
of A from x. An execution fragment « is defined to be an execution if w.fstate is a start state, that 
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automaton ClockSync(u, r: Real, i: Index) where u > 0 ^A (0x r < 1) 
signature 
external send(m: Real, const i: Index), 
receive(m: Real, j: Index, const i: Index) where j # i 


states 
nextsend: discrete Real := 0, 
maxother: discrete Real :— O, 
physclock: Real := 0 


derived variables 
logclock = max(maxother, physclock) 


transitions 
external send(m, i) 


pre 
m = physclock A physclock = nextsend 
eff 
nextsend := nextsend + u 
external receive(m, j, i) 
eff 
maxother := max(maxother, m) 


trajectories 
stop when 
physclock = nextsend 
evolve 
(1 - r) < d(physclock) < (1 + r) 


Figure 4.7: Clock synchronization. 


is, a.fstate € ©. We write execs 4 for the set of all executions of A. If o is a closed (A, V)-sequence 
then we define the /asz state of a, a.lstate, to be a./val. 


Like trajectories also execution fragments are closed under countable concatenation. 


Lemma4.7 Let ag a ... bea finite or infinite sequence of execution fragments of A such that, for each 


nonfinal index i, di is closed and di lstate = aj+1.fstate. Then og ^ 0 © +++ is an execution fragment 


of A 


Proof. Follows easily from the definitions, using Axiom T3. 


The characterization of the prefix ordering on (A, V)-sequences from Lemma 3.7 carries over 
to execution fragments. 


Lemma4.8 Leto and B be execution fragments of A with æ closed. Then 


/ 


a<B & W efmg,:B-—a' a’. 
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Proof. Implication “<=” follows from the corresponding implication in Lemma 3.7. Implication “=” 
follows from the definitions and T2. 


The external behavior of a timed automaton is captured by the set of "traces" of its execution 
fragments, which record external actions and the trajectories that describe the intervening passage of 
time. A trace consists of alternating external actions and trajectories over the empty set of variables, 
Ø; the only interesting information contained in these trajectories is the amount of time that elapses. 

Formally, if œ is an execution fragment, then the ¢race of a, denoted by £race(a)), is the (E, Ø)- 
restriction of a, a [(E, Ø). A trace fragment of a timed automaton A from a state x of A is the trace 
of an execution fragment of A whose first state is x. We write /racefrags ,(x) for the set of trace 
fragments of A from x. Also, we define a ¢race of A to be a trace fragment from a start state, that is, 
the trace of an execution of A, and write zraces A for the set of traces of A. 

In the earlier timed automaton models [86, 107], execution fragments were defined in a similar 
style to the one presented here, that is, as an alternating sequence of trajectories and actions. However, 
the traces were not derived from execution fragments by a simple restriction to external actions and 
the empty set of variables. Rather, a trace was defined as a sequence consisting of actions paired 
with their time of occurrence together with a limit time. The new definition increases uniformity; 
the definitions, results and proof techniques for hybrid sequences apply to both execution fragments 
and traces. 

We now revisit some of the automata presented earlier in this chapter and give sample exe- 
cutions and traces for these automata. 


Example 4.9 (Periodic sending process). Consider the automaton PeriodicSend from Example 4.2 
where u is instantiated to the real number 3 and the message type parameter M is instantiated to the 
set {m1, m2, ...}. The following sequence is an execution of the automaton: 


a - t send(m1) t send(m2) t send(m3) T... 


where t : [0,3] — va/((clock]) is defined such that t(t)(clock) = t for all t € [0, 3]. The func- 
tion T is defined for closed intervals of length 3, starting at time 0. It describes the evolution of the 
variable clock, which is 0 at the start of t and increases with rate 1 for 3 time units. The discrete 
send events occur periodically, every 3 time units and reset the clock variable to 0. 

The trace of the above execution fragment, frace(a), is the sequence 


a’ =t’ send(m1) t’ send(m2) t! send(m3) T’... 


where t’ : [0, 3] — val (Ø). Since the range of function t’ contains only the function with the empty 
domain, £race(o) does not contain any information about what happens to the value of clock as 
time progresses. Since the domains of t and T’ are identical, œ and a’ express the same information 
about the amount of time that elapses between discrete steps. 
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Example 4.10 (Timeout process). We now present an execution of the automaton Timeout from 
Example 4.4 where the the maximum waiting time u for a message is 5 and the message alphabet M 
is the set (m1, m2}. The following finite sequence is an execution of Timeout: 


Q = To receive(m1) t; timeout t»? receive(m2) 13 timeout T4 


where Val = val ((suspected , c1ock]) and the functions To, T1, T2, T3, T4 are defined as follows: 
To : [0,2] — Val where t9 (t) (suspected) = false and t9(f) (clock) = t for all t € [0, 2]. 
t1 : [0,5] — Val where t4 (f) (suspected) = false and qı (f)(clock) = t for all t € [0, 5]. 
75 : [0, 1] — Val where t2 (f) (suspected) = true and 19(t)(clock) = 5 + t for all t € [0, 1]. 
73 : [0,5] — Val where z3(f) (suspected) = false and 13(t)(clock) = t for all t € [0, 5]. 


T4 : [0, 00) — Val where t4(t)(suspected) = true and z4(f)(clock) = 5 + t for all t € [0, oo). 

In this sample execution, the first awaited message arrives at time 2. Since no other message 
arrives within the next 5 time units, the process performs a timeout. À new message arrives 1 time 
unit after the timeout and the variable clock is reset to 0. Since no new message arrives in the next 
5 time units the process performs another timeout. The time elapses forever after this timeout since 
no further message arrives. 

This example illustrates that the automaton Timeout can perform multiple timeout transitions. 
Another point to note is that the sample execution consists of a finite (A, V)-sequence ending with 
a trajectory, as opposed to an infinite sequence as in Example 4.9 . The final trajectory here is a 
trajectory whose domain is right open and the execution is admissible and nonZeno. Replacing r4 
with a function on a closed interval would yield a nonZeno execution that is not admissible. 

The trace of the execution o can be obtained by letting the range of t; be the set consisting 
of the function with the empty domain, as we did in the previous example. That is, by hiding the 
values of the internal variables clock and suspected during trajectories. 


The following lemma states that some properties of executions carry over to their traces and 
vice versa. 


Lemma4.11  Jfo is an execution of A then: 
1. a is time-bounded if and only if trace(a) is time-bounded; 
2. a is admissible if and only if trace(a) is admissible; 
3. Ifa is closed then trace(a) is closed; 


4. Ifa is nonZeno then trace(a) is nonZeno. 


Proof. Follows directly from the corresponding properties for the restriction of (A,V)-sequences 
(Lemma 3.11). 


Lemma4.12 lf is a trace of A then: 
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1. If B is closed then there exists an execution a of A such that trace(a) = B and at is closed; 


2. If B is nonZeno then there exists an execution at of A such that trace(a) = B and a is nonZeno. 


Proof. For the first part of the lemma, let 6 = ¢race(a) be a closed trace of A. By definition of a 
trace, we know that ./time = a./time. We also know that o is either closed or has a suffix which is an 
infinite sequence of alternating point trajectories and internal actions. Now, let a’ be the least closed 
prefix of a such that a’ Jtime = B./time. Clearly, o is a closed execution of A and 8 = ¢race(a’). 
For the second part of the lemma, observe that a nonZeno trace is either closed or admissible. 
Let B = żrace(œ). For the case where f is closed, we have already shown how we can find a closed 
execution. For the case where f = frace(a) is admissible, we know that a./time = oo. Hence, o is 
admissible, as needed. 


Example 4.13 — (Constructing a closed execution from a closed trace). Consider the Zeno hybrid 
sequence a = p (v) a (v) a o (v) ... given in Example 3.12. Suppose that o is an execution of A 
and that a is an internal action of A. Then, £race(o) = p (v^) where p (v’) is a trajectory over the 
empty set of variables. However, the fact that frace(a) is closed does not imply that o is closed. Thus, 
we see why we have a one way implication in item 3 of Lemma 4.11. On the other hand, we can 
construct a closed execution of A with trace p (v^) as explained in the proof of Lemma 4.12. The 
execution consisting of the point trajectory o (v) is a closed execution of A with trace p (v^). 


4.3 INVARIANTS 


A state of a timed automaton A is reachable if it is the last state of some closed execution of A. If X 
is the set of state variables of A and J is a set of valuations of X, then we say that I is an invariant of 
A if I contains all reachable states of A. We often describe invariants by assertions, formulas that are 
constructed by applying boolean connectives and quantifications to atomic formulas over the state 
variables. Define the i-/ength of a finite (A, V)-sequence f to be equal to the length of £ if £ ends 
with a point trajectory, and equal to the length of £ plus 1 otherwise. Invariants can be proved by 
induction on the i-length of executions. Sometimes we may also use the following simple lemma. In 
order to state the lemma we use some terminology from [90]. A set of valuations Z of A is stable if it 
is preserved by discrete transitions and by trajectories, that is, for all states x, x’ € Q and trajectories 


TET, 


xel Ax Ax => xel 
tJSfate € I ^ tclosed = t.bstate € I. 


Set I is inductive if it is stable and moreover contains all the start states, that is © C J. 


Lemmad4.14 — Let I be a set of states of. A that is inductive. Then I is an invariant. 
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Proof. We must establish that / contains all reachable states of A. Let x be a reachable state. Then 
x is the final state of some closed execution a. We prove x € J by induction on the i-length k of 
execution a. If k = 1 then o consists of a point trajectory and hence x is an initial state. Because 7 
is inductive, © C J and hence x € J. If k > 1 then we distinguish between two cases: either œ ends 
with a point trajectory or it does not. 


1. In the first case, o has the form o/'ar where t is a point trajectory containing state x and the 
i-length of a’ is either k — 2 or k — 1 (depending on whether a’ ends with a point trajectory 
or not). Let x' be the last state of a’. Then by induction hypothesis x’ € I. But since J is stable 


a 
and x’ > x, alsox € I. 


2. In the second case, o can be written as a’ ^ t where a’ ends with a point trajectory, t is a 
closed trajectory, a’ /state = t.fstate, and the i-length of a’ equals k — 1. Hence, by induction 
hypothesis, a’ /state = t.fstate € I. Since I is stable, also t./state € I. Hence,x € I. 


Example 4.45 — (Time-bounded channel). Consider the time-bounded channel automaton from 
Example 4.1. It is easy to observe that time cannot pass beyond any delivery deadline recorded in 
the message queue and that each deadline in the queue is less than or equal to the sum of the current 
time and the bound b. This property can be stated as an invariant assertion as follows. 


Invariant 1 In any reachable state x of automaton TimedChannel, for all p € x(queue), x(now) < 
p.deadline < x(now) + b. 


We can prove this invariant using Lemma 4.14. Let / be the set of states that satisfy the assertion, 
that is, the set of states x such that for all p € x(queue), x(now) < p.deadline < x(now) + b. In 
the (unique) initial state x, x(queue) is empty and sox € 7. 

Discrete transitions do not modify variable now and either add or remove a single message from 
queue. A send(m) transition from state x adds a single message p with p.deadline = x(now) + b. 
A receive(m) transition removes a single message. Clearly, both types of actions preserve the 
invariant. 

Let t be a closed trajectory with t.fstate = x' € I and t./state = x. Suppose that x ¢ I. This 
means that there is some p € x(queue) for which it does not hold that x(now) < p.deadline < 
x(now) + b. But since x(queue) = x'(queue), we know that x'(now) < p. deadline < x'(now) + 
b. Since now increases along trajectories, x (now) < x(now). It follows that p. deadline < x(now). 
But since x'(now) < p.deadline and now increases continuously along r, there exists a nonfinal 
state x” on T with p. deadline = x"(now). But this contradicts the stopping condition for the 
time-bounded channel. Hence, x € 7. 

We conclude that / is inductive and hence an invariant. 
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In practice, we often encounter invariants that are not inductive. In order to prove such 
invariants we typically first need to establish some auxiliary invariants. This style of reasoning can 
be formalized using a slight generalization of Lemma 4.14. Again, we use terminology from [90]. 
Let Jı and Jy be sets of states of A. Then J» is stable relative to Ij if, for all states x, x' € Q and 
trajectories T € 7, 


xehfnl ^x-Ax > xech 
TftatechNh ^ tclosed => t.lstate € h. 


Set I» is inductive relative to Ij if h is stable relative to J} and contains all the start states, that is 
OCh. 


Lemma 4.16 Let I; and Ip be sets of states of A such that I is invariant and Ih is inductive relative to 
I. Then h is an invariant. 


Proof. Similar to the proof of Lemma 4.14. 


Example 4.17 (Fischers mutual exclusion). The main safety property that needs to be satisfied 
by the automaton FischerME from Example 4.5 is mutual exclusion. This safety property can be 
expressed as an invariant assertion. 


Invariant 2 In any reachable state x of FischerME, there do not exist i: Index and j : Index such that 
iz j,x(pc) li] = crit andx(pc)[j] = crit. 


Even though the invariant does not refer to time, its proof depends on the timing constraints 
of the automaton. For example, the following auxiliary invariant can be used in proving Invariant 2. 


Invariant 3 In any reachable state x of FischerME, if x(pc)[i] = check, x(x) = embed(i), and 
x(pc) Lj] = set, then x(firstcheck)[i]) > x(lastset)[j]. 


This invariant states that if the program counter of process i has the value check, the program 
counter of process j has the value set, and the variable x has the value embed (i), then i will allow 
enough time for j to set x to embed (j), before performing the check. If this timing constraint were 
not satisfied, it would be possible for i to check that x = embed (i) before j sets x to embed (j). 
Both of the processes would then observe x to contain their own index and enter the critical region. 


4.4 SPECIAL KINDS OF TIMED AUTOMATA 


This section describes several restricted forms of timed automata and gives definitions that are needed 
for theorems that are presented later on in this monograph. 
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Timed Automata with Finite Internal Nondeterminism: We are sometimes interested in bounding 
the amount of internal nondeterminism in a timed automaton. Thus, we say that a timed automaton 
A has finite internal nondeterminism (FIN) provided that: 


1. the set © of start states is finite, and 


2. for every state x of A and every trace fragment f of A from x, the set {a./state | o € frags 4(x) ^ 
trace(a) = p) is finite. 


Example 4.18 (Automata with FIN). It is not hard to see that the automata TimedChannel, 
PeriodicSend, PeriodicSend2, and Timeout given in Section 4.1 all have FIN. The first property 
of the definition of FIN is satisfied since each of these automata has a unique start state. The second 
property follows from the fact that in each automaton, for every state x and every trace fragment f 
from x, there is a unique execution fragment o such that frace(a) = B. 


Example 4.19 (Automata without FIN). We show that automata FischerME and ClockSync(a,r: 
Real, i:Index) from Section 4.1 do not have FIN. For each automaton, we specify a trace, describe 
the set of all executions that have the specified trace, and argue that the second property in the 
definition of FIN fails for the chosen trace. 

Let x be the start state of FischerME and B = to try (i) tı bea trace of the same automaton 
where the domains of the functions T and r; are, respectively, the single point interval [0, 0] and the 
interval [0, u], and the range of both functions is the set consisting of the function with the empty 
domain. For any execution o, frace(a) = B, if and only if w./time = u, try (i) occurs at time 0, and 
all the actions in « that occur after try (i) are internal actions. There are infinitely many different 
times that the internal actions may occur, and infinitely many values lastcheck and firstcheck 
could have, by the time u. Therefore, the set {a./state | a € frags A(X) ^ trace(a) = To try (à) tı} is 
not finite and FischerME does not have FIN. 

Now, let x be the start state of ClockSync(a,r:Real, i:Index) where x(physclock) — 
x(nextsend) = x(maxother) = 0 and f = Tọ send(0) tı be a trace of ClockSync(a,r:Real, 
i:Index) where the domains of functions Tọ and r4 are, respectively, the interval [0, 0] and the 
interval [0, u], and the range of both functions is the set consisting of the function with the empty 
domain. For any œ in which send(0) occurs at time 0 and is followed by a trajectory t such 
that t./time = u, we have ¢race(a) = B. For any such a, a./state(physclock) can be any value in 
the interval [u (1 - r), u (1 + r)]. Therefore, the set {a./state | a € frags A(x) ^ trace(a) = 
to send (0) r1] is not finite and ClockSync(a,r:Real, i:Index) does not have FIN. 


The following lemma states that if a timed automaton has FIN, then its set of traces is 
limit-closed. 


Lemma4.20 Suppose that timed automaton A has FIN andx € Q. Suppose that P1, P2, .. . is a chain 
of trace fragments of A from x. Then the hybrid sequence lim, Pi is a trace fragment of. A from x. 
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Proof. This is analogous to the proof of Lemma 4.3 of [86]. Suppose that A is a timed automaton that 
has FIN, x is astate of A, and £1, £2, ...isachain of trace fragments of A from x. We define a relation 
after between trace fragments from x and states of A: after = ((B, y) | Ja € frags A(X). trace(a) = 
B ^ a.lstate = y). 

We construct a directed graph G whose nodes are pairs (Bj, y) € after where Dj is an element 
of the given chain. In G, there is an edge from (fj, y) to (Bi+1, y’) exactly if Bj41 = B; ^ y such 
that y = ¢race(a) for some a € frags AQ, and a./state = y'. By the definition of property FIN, there 
are finitely many roots of G of the form (1, y). By the definition of FIN and the construction of 
G, each node of G has finite outdegree. 

We claim that each node (Bj, y) of G is reachable from some root (fj, z) for some z. By 
definition of the node set, there exists a € frags A(x) such that ¢race(a) = i and w./state = y. Choose 
a’ € frags ,(x) to be a prefix of œ such that ¢race(a’) = B1 and let z = a’ Jstate. By definition of the 
edge set of G, (Bj, y) is reachable from (fi, z). 

Hence, G satisfies the hypotheses of Lemma 2.1, which implies that there is an infinite 
execution fragment starting from x whose trace is lim; fj. Lemma 2.1 is an extension of Konig’s 
lemma. 


There are two references to automata with FIN later in the monograph. The first one is in 
Theorem 4.21, which lists some sufficient conditions for establishing an implementation relationship 
between two automata. The second reference appears in the discussion about the kinds of automata 
that satisfy the assumptions of Theorem 8.8. 


Feasible Timed Automata: A timed automaton A is feasible provided that, for every state x of A, 
there exists an admissible execution fragment of A from x. 

Feasibility is a basic requirement that any “reasonable” timed automaton should satisfy. The- 
orems 4.21 and 7.2 establish some results about feasible automata. 


Timing-Independent Timed Automata: A timed automaton A is said to be Ziming-independent 
provided that all its state variables are discrete variables, and its set of trajectories is exactly the set 
of constant-valued functions over left-closed time intervals with left endpoint 0. 

We refer to timing-independent automata later in Examples 5.14 and 8.10, and in our dis- 
cussion about Theorem 8.8. 
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Timed automata A; and A2 are comparable if they have the same external interface, that is, if 
E, = E». If Aj and Az are comparable then we say that A; implements Az, denoted by A; < A2, 
if the traces of A, are included among those of A2, that is, if /racesA, C traces tos 


1 In [86, 36, 80, 81], definitions of the set of traces of an automaton and of one automaton implementing another are based on 
closed and admissible executions only. The results we obtain in this monograph using the newer, more inclusive definition imply 
corresponding results for the earlier definition. For example, we have the following property: If Ay < A2 then the set of traces 
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Other preorders between timed automata could also be used as implementation relationships, 
for example, if A; and A2 are comparable timed automata, we could consider: 


* Every closed trace of Aj is a trace of A2. 
* Every admissible trace of A, is a trace of A2. 


* Every nonZeno trace of Aj is a trace of Ap. 


Theorem 4.21 Let A; and Az be comparable TAs. 


1. If'every closed trace of A, is a trace of Az and Az has FIN, then A, < Ao. 


2. If every admissible trace of A is a trace of Az and A is feasible, then every closed trace of A, is a 
trace of Ag. 


3. If every admissible trace of. A] is a trace of. A2, A1 is feasible, and Ad has FIN, then A, < Ad. 


Proof. Part 1 follows from Lemma 4.20. 
For Part 2, consider a closed trace 8 of A. By feasibility of A1, we may extend f to an 
admissible trace 6’ of A1. Then by assumption, A’ is also a trace of A2. By prefix closure of the set 
of traces, f is a trace of A2. 
Part 3 follows from Parts 1 and 2. 


4.6 SIMULATION RELATIONS 


In this section, we define simulation relations between timed automata. Simulation relations may 
be used to show that one TA implements another, in the sense of inclusion of sets of traces. We 
define two main types of simulation relations (forward and backward simulations) and three derived 
notions (refinements, history relations and prophecy relations). 

Forward simulations are more commonly used than backward simulations because they are 
easier to think about and are general enough to cover most interesting situations that arise in practice. 
Backward simulations are sometimes necessary, in particular, when nondeterministic choices are 
resolved earlier in the specification than in the implementation. In proving implementation relations, 
we prefer to use forward simulation relations whenever they exist, since backward simulations are 
harder to think about. 


that arise from closed or admissible executions of A4 is a subset of the set of traces that arise from closed or admissible executions 


of A2. This follows from Lemmas 4.11 and 4.12. 
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4.6.1 FORWARD SIMULATIONS 


Let A and B be comparable TAs. A forward simulation from A to B is a relation RC QA x Qg 
satisfying the following conditions, for all states x4 and xg of A and B, respectively. 


1. Ifx4 € O4 then there exists a state xg € Og such that x4 R xg. 


2. If x 4 R xg and o is an execution fragment of A consisting of one action surrounded by 
two point trajectories, with a.fstate = x4, then B has a closed execution fragment f with 
B.fstate = xp, trace(B) = trace(a), and a./state R B./state. 


3. If x4 R xg and o is an execution fragment of A consisting of a single closed trajectory, 
with a.fstate = x 4, then B has a closed execution fragment £ with B.fstate = xp, trace(B) = 
trace(a), and a./state R B.fstate. 


The first condition states that for each start state of A there exists a related start state of B. The second 
and third condition, which are referred to as ¢ransfer properties, assert that each discrete transition 
resp. trajectory of A can be simulated by a corresponding execution fragment of B with the same 
trace. 

If both R and R^! are forward simulations then we say that R is a disimulation from A 
to B. Bisimulation relations play an important role in the automated analysis of timed and hybrid 
systems, see e.g. [6, 67, 122]. However, the bisimulations used for automated analysis are usually zime 
abstracted bisimulations, whereas in our definition a trajectory œ of one automaton must be simulated 
by a trajectory B of the other automaton with exactly the same duration (/race(B) = trace(a)), these 
durations may be different in a time abstracted bisimulation. 

Forward simulation relations induce a preorder between timed automata. 


Theorem 4.22 Let A, B, and C be comparable TAs. If R1 is a forward simulation from A to B and R3 
is a forward simulation from B to C, then R2 o Ri is a forward simulation from A to C. 


Even though the definition of a forward simulation only refers to closed trajectories it also 
yields a correspondence for open trajectories. 


Lemma 4.23 Let A and B be comparable TAs and let R be a forward simulation from A to B. Let x A 
and xp be states of A and B, respectively, such tbat xA R xp. Let a be an execution fragment of A from 
state XA consisting of a single open trajectory. Then B has an execution fragment B with B.fstate = xg 
and trace(B) = trace(a). 


Proof. Let t be the single open trajectory in a. Using Axioms T1 and T2, we construct an infinite 
sequence To T ... of closed trajectories of A such that v = vo ^ t1 ^ ---. Then, working recursively, 
we construct a sequence fo B1 ... of closed execution fragments of B such that Bo.fstate = xg and, 
for each i, t;.dstate R Bi state, B;./state = Bi. 1.fstate, and trace(t;) = trace(B;). This construction 
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uses induction on i, using Property 3 of the definition of a forward simulation in the induction step. 
Now let 8 = Bo ^ B1 ~ ---. By Lemma 4.7, B is an execution fragment of B. Clearly, B.fszate = xg. 
By Lemma 3.9 applied to both o and £, ¢race(B) = trace(a). Thus, B has the required properties. 


Theorem 4.24 Let A and B be comparable TAs and let R be a forward simulation from A to B. Letx A 
and xg be states of A and B, respectively, such that x4 R xg. Then tracefrags A&A) © fracefragsy (xis). 


Proof. Suppose that ô is the trace of an execution fragment of A that starts from x 4; we prove that 
ô is also a trace of an execution fragment of B that starts from xg. Let a = Tọ aj T a2 12... bean 
execution fragment of A such that o.fstate = x4 and 5 = trace(a). We consider the following cases. 


1. o is an infinite sequence. 


Using Axioms T1 and T2, we can write o as an infinite concatenation ag ^ ài ^ @2---, in 
which the execution fragments œ; with i even consist of a trajectory only, and the execution 
fragments œ; with i odd consist of a single discrete step surrounded by two point trajectories. 


We define inductively a sequence fo B1 ... of closed execution fragments of B, such that 
Do.fstate = xg and, for all i, Bi.Jstate = Bj+41.fstate, otj.lstate R Bi.lstate, and. trace(Bi) = 
£race(or; ). We use Property 3 ofthe definition ofa simulation for the construction ofthe B's with 
i even, and Property 2 for the construction of the B;'s with i odd. Let B = Bo ^ B1^^ f2---. 
By Lemma 4.7, f is an execution fragment of B. Clearly, B.fstate = xg. By Lemma 3.9, 
trace(B) = trace(a). Thus, B has the required properties. 


2. æ is a finite sequence ending with a closed trajectory. 


Similar to the first case. 


3. æ is a finite sequence ending with an open trajectory. 


Similar to the first case, using Lemma 4.23. 


The next corollary states that forward simulations constitute a sound technique for proving 
trace inclusion between timed automata. 


Corollary 4.25 Let A and B be comparable TAs and let R be a forward simulation from A to B. Then 
A<B. 


Proof. Suppose f € /races A. Then f € fracefrags (Xa) for some start state x4 of A. Property 1 
of the definition of simulation implies the existence of a start state xg of B such that x4 R xg. 
Then Theorem 4.24 implies that £ € £racefragsy; (xp). Since xg is a start state of B, this implies that 
B € tracesp, as needed. 
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Example 4.26 — (l'ime-bounded channels). Consider two instances of the specification in Fig. 4.1, 
TimedChannel(bi, M) and TimedChannel(b2, M) where b1 < b2. We define a forward simulation R 
from TimedChannel(bi, M) to TimedChannel(b2, M) below. Ifx isa state of TinedChannel(bi, M) and 
y is a state of TimedChannel(b2, M), then x R y provided that the following conditions are satisfied: 


1. x(now) = y (now); 
2. |x(queue)| = |y(queue)|. We use |q| to denote the length of an object q of type queue; 


3. Vi. 1 € i € |x(queue)|, if x(queue) (j) = [m,u1] then y(queue)(i) = [m,u2], for some u2 
with ul < u2. 


We can prove that R is a forward simulation from the automaton TimedChannel(bi, M) to the 
automaton TimedChannel(b2, M) by showing that R satisfies each of the three properties in the 
definition of a forward simulation relation. In each automaton there is a unique initial state that 
maps the variable now to 0 and queue to the empty sequence. It is obvious that the initial states, 
which are identical, are related by R and so the first property is satisfied. 

For the rest of the proof, we let x and y be, respectively, states of TimedChannel(bi, M) and 
TimedChannel(b2, M) such thatx R y. In order to show that the second property is satisfied, we need 
to consider two cases, one for each discrete action that may be performed by TimedChannel(bi, M). 

If TimedChannel(bi, M) performs a send (m) action, and the state changes from x to x’ then 
we need to find an execution fragment f of TimedChannel(b2,M) from y ending in y’, such that 
x’ Ry’ and ¢race(B) is the same as the trace of p(x) send (m) f» (x^). The execution fragment 
B = (y) send (m) 69 (y’) satisfies the required conditions. This follows from the hypothesis that 
x R y and the definition of R, using the fact that the effect of a send (m) action of TimedChannel (b1, 
M), TimedChannel(b2, M) are, respectively, adding the entry [m,now + b1]tox(queue), and [m, now 
+ b2] to y(queue) where b1 < b2. 

IfTimedChannel(bi, M) performs a receive (m) action, and the state changes fromx tox’ then 
we need to show that receive (m) is also enabled in y and that there is an execution fragment with 
the required properties that ends in a state y’ such that x’ R y’. In order to show that receive (m) is 
enabled in y, we use the hypothesis thatx R y, which implies that the first element of y (queue) is of 
the form [m,u] for some u. The execution fragment p (y) receive(m) p (y) of TinedChannel(bi, 
M) can be shown to satisfy the required conditions. 

For the third property, we consider a closed trajectory T of TimedChannel(bi, M) with t.fstate = 
x and show that there exists a closed execution fragment £ of the automaton TimedChannel(b2, M) 
with B.fszate = y, trace(B) = trace(1), and T.lstate = B./state . It is easy to check that the trajectory t’ 
of TimedChannel(b2, M) with t’ fstate = y and t’ Jtime = t./time satisfies the required conditions. 


Example 4.27 — (Time-bounded channel that keeps all messages). In this example we define a 
variant of TimedChannel from Example 4.1 called TimedChanne12. The main difference between 
TimedChannel and TimedChannel2 is that the message queue in TimedChanne12 is implemented using 
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a finite sequence of (message, delivery deadline) pairs queue and a pointer ptr that points to the next 
element that is to be delivered. Hence, the internal variables of TimedChanne12 consist of queue, now 
and ptr. The variable ptr initially has value 1, which indicates that it is pointing to the first element 
in the sequence. A send (m) action causes messages and deadlines to be added to the sequence as in 
TimedChannel. A receive (m) causes ptr to be incremented to make it point to the next element in 
the sequence instead of removing the first element. The stops when predicate tests if there is a packet 
in the queue with index greater than or equal to ptr and deadline equal to now. The automaton 
TimedChannel can be viewed as an optimized implementation of TimedChanne12. 

We define below a forward simulation R from TimedChannel to TimedChanne12. If x is a state 
of TimedChannel and y is a state of TimedChanne12, then x R y provided that the following conditions 
are satisfied: 


1. x(now) = y (now); 


2. x(queue) = y(queue)(y(ptr)...|y(queue)|). 


Here, we assume the sequence representation of queues and use the subsequence notation from 
Chapter 2 to denote the part of the queue that starts with the index ptr and ends with the index 


y(queue). 


Example 4.28 (Clock synchronization). In this example, we define a forward simulation from 
ClockSync(u,r:Real, i:Index) of Fig. 4.7 to an automaton that sends multiples of u. The specifi- 
cation of this automaton, which is called SendVal is given in Fig. 4.8. We assume that the Index 
types in both automata are identical. The variable counter keeps track of which multiple of u is to 
be sent next, and variable now contains the current time. The automaton parameter r is used in the 
precondition of the send and the stopping condition of the trajectory definition, to enforce bounds 
on the times of occurrence of send. 

The following predicate defines a forward simulation R from automaton ClockSync() to 
automaton SendVal: 


now * (1 — r) < physclock < now * (1 +r) ^ counter * u = nextsend > physclock. 


Whereas automaton ClockSync(u,r:Real, i:Index) is more intuitive as a specification, automaton 
SendVal is easier for analysis purposes, since its continuous dynamics is simpler. 


4.6.2 REFINEMENTS 
A refinement is a simple, special case of a forward simulation, often used in practice (see, for instance, 
[105, 110]), in which the relation between states of A and B is a partial function. 

Let A and B be comparable TAs. A refinement from A to B is a partial function F from QA 
to Qg, satisfying the following conditions, for all states x 4 and xg of A and B, respectively. 
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automaton SendVal(u, r: Real, i: Index) where u > 0^ (0 <r < 1) 
signature 
external send(m: Real), 
receive(m: Real, j: Index, const i: Index) where j # i 


states 
counter: discrete Real := O, 
now: Real := 0 


transitions 
external send(m, i) 


pre 

m = counter * u A counter * u / (1 + r) < now 
eff 

counter :— counter + 1 


external receive(m, j, i) 
trajectories 
stop when 


now — counter * u / (1 - r) 
evolve 
d(now) = 1 


Figure 4.8: Clock synchronization. 


1. Ifx4 € Oy then x4 € dom(F) and F(x4) € Og. 


2. Ifa is an execution fragment of A consisting of one action surrounded by two point trajectories 
and a.fstate € dom(F), then a./state € dom(F) and B has a closed execution fragment f with 
B.fstate = F (a.fstate), trace(B) = trace(a), and B./state = F (a./state). 


3. Ifa isan execution fragment of A consisting ofa single closed trajectory and a.fstate € dom(F), 
then a./state € dom(F) and B has a closed execution fragment f with B.fstate = F (a.fstate), 
trace(B) = trace(a), and B./state = F (a. state). 


Note that, by a trivial inductive argument, the set of states for which F is defined contains all the 
reachable states of A (and is thus an invariant of this automaton). 


Theorem 4.29 Let A and B be two TAs and suppose R C QA x Op. Then R is a refinement from A 
to B if and only if R is a forward simulation from A to B and R is a partial function. 


The following theorem states a basic sanity property of refinements, namely closure under 
composition. 


Theorem 4.30 Let A,B, and C be comparable TAs. If R is a refinement from A to B and Ro isa 
refinement from B to C, then R2 o R; is a refinement from A to C. 
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A weak isomorphism from A to B is a refinement F from A to B such that F~! isa refinement 
from B to A. We say that two automata A and B are weakly isomorphic, if there exists an isomorphism 
from A to B (or, equivalently from B to A). 


Example 4.31 (Refinements). In Example 4.26 we established a forward simulation between two 
instances of the TA in Fig. 4.1, TinedChannel(b1, M) and TimedChannel(b2, M) with b1 < b2. It is 
not hard see that there also exists a refinement from TimedChannel(bi, M) to TimedChannel(b2, M): 
just add b2 — b1 to the deadline of each packet in the queue. 

In Example 4.28 we defined a forward simulation from automaton ClockSync(u,r:Real, 
i:Index) to automaton SendVal. In this case, however, there does not exist a refinement from 
ClockSync(u,r:Real, i:Index) to SendVal if r > 0. The proof is by contradiction. Suppose that 
F isa refinement from ClockSync(u,r:Real, i:Index) to SendVal. Then F maps the initial state of 
ClockSync(u,r:Real, i:Index) to the initial state of SendVal. Since send actions can be simulated, 
the state sO of ClockSync(u,r:Real, i:Index) with nextsend = u and physclock = 0 is mapped 
by F to the state of SendVa1 with counter = 1 and now = 0. Consider an outgoing trajectory of sO 
with positive limit time to a state s1 in which the physical clock runs maximally fast, and a trajectory 
with the same limit time to a state s2 in which the physical clock runs maximally slow. Since r > 0, 
s1 and s2 are distinct. By the transfer property for trajectories, both s1 and s2 are mapped onto the 
same state of SendVal. Now observe that there exists a trajectory with positive limit time from s2 to 
s1. This trajectory can not be simulated in SendVa1, since in this automaton there are no nontrivial 
trajectories from a state to itself. Contradiction. 


4.6.3 BACKWARD SIMULATIONS 


Let A and B be comparable TAs. A backward simulation from A to Bisa totalrelation R C QA x Op 
satisfying the following conditions, for all states x 4 and xg of A and B, respectively: 


1. Ifx4 € O 4 and x4 R xg then xg € Og. 


2. Ifx4 R xg and g is an execution fragment of A with a./tate = x4, consisting of one discrete 
action surrounded by two point trajectories, then B has a closed execution fragment f with 
B.lstate = xp, trace(B) = trace(a), and a.fstate R B.fstate. 


3. Ifx4 R xg and a is an execution fragment of A with a./state = x4, consisting of one trajec- 
tory, then B has a closed execution fragment B with B./state = xp, trace(B) = trace(a), and 
a.fstate R .fstate. 


Backward simulations are closed under relational composition, and hence induce a preorder 
between timed automata. 


Theorem 4.32 Let A, B, and C be comparable TAs. If Ri is a backward simulation from A to B and 
Ra is a backward simulation B to C, then Ra o R; is a backward simulation from A to C. 
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Theorem 4.33 — Let A and B be comparable TAs and let R be a backward simulation from A to B. Let 
x4 and xp be states of A and B, respectively, such that xA R xp. Let B. be the trace of a closed execution 
fragment of A from y4 with last state x 4. Then there exists yg such that B is also the trace of a closed 
execution fragment of D from yg with last state xg andy, R yg. 


Proof. Fix some R, x4, xg, and £ satisfying the conditions in the statement of the theorem. Let 
a € frags ,(y.A) for some state y4 of A with zrace(o) = B and a.dstate = x 4. By using the Axioms 
T1 and T2, we can write a as the concatenation of a sequence of closed execution fragments, 
a = a9 ^ a, ^ ... æn, where each o; is either a closed trajectory or an action surrounded by two 
point trajectories, a; state = a+ .fstate for 0 <i € n — 1, and or Jstate = x4. 

By using the definition ofa backward simulation, working backwards from o, we can construct 
an execution fragment o = a) ^ o ^ ... or, from a state yg of B such that (a) a'./szate = xp, 
(b) for all i, 0 <i < n, a;.fstate R ot. fstate and trace(o;) = trace(aj), (c) for all i, 0 € i € n — 1, 
a; state = or , fstate. Using Lemma 4.7, we can see that o is an execution fragment of B. By 
Lemma 3.9, ¢race(a) = trace(a’) as needed. 


The next corollary states that backward simulations constitute a sound technique for proving 
inclusion of closed traces between timed automata. 


Corollary 4.34 Let A and B be comparable TAs and let R be a backward simulation from A to B. Then 
every closed trace of A ids a trace of. B. 


Proof. Suppose R is a backward simulation from A to B and £ is a closed trace of A. Then 
B = trace(a) for some closed execution a of A. Let x4 and y4 be the first and last states of o 
respectively. By the totality of relation R, there exists some state yg of B such that y4 R yg. By 
Theorem 4.33, there exists xg of B such that £ is the trace of a closed execution fragment of B from 
xg with last state yg and x4 R xg. Property 1 of the definition of a backward simulation relation 
implies that xg is a start state of B. It follows that B € żracesg, as needed. 


Image-finite backward simulations constitute a sound technique for proving inclusion of (all) 
traces between timed automata. 


Theorem 4.35 Let A and B be comparable TAs and let R be an image-finite backward simulation from 
A £o B. Then traces C tracesp. 


Proof. Let B € traces A. If B is closed then Corollary 4.34 implies that £ is a trace of B. From now 
on we assume f is not closed. 

Let o € execs with frace(a) = B. Note that any such o is either an infinite sequence 
T dj T1 ... Or a finite sequence To d1 Ti ... t; where the final trajectory Tn is right open. In ei- 
ther case, using the Axioms T1 and T2, we can construct an infinite sequence ag a ... of closed 
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execution fragments such that a = a ^ a ^ ... where qo is a point trajectory, each œ; is either a 
closed trajectory or an action surrounded by two point trajectories, and a;./state = œi+1.fštate for 
each i, 0 <i. 

We construct a directed graph G whose nodes are pairs (x, i) consisting ofa state of B and an 
index such that (œ; ./state, x) €R. In G, there is an edge from (x, i) to (x’, j) exactly if j = i + 1 and 
there is an a € fragsy (x) with £race(o) = trace(a;41) such that a’ Jstate = x’. By image-finiteness 
of R and the definition of the edge set, each node has finite outdegree. By using the definition of 
a backward simulation and the edge set of G, we can show that each node (x, i) is reachable from 
some root node (z, 0) for some start state z of B. Since R is image-finite there are finitely many 
roots of G. 

The directed graph G satisfies the hypotheses of Lemma 2.1, which implies that there is an 
infinite path in G starting from a root. An edge from a node (x, i) to (x', i + 1) along this infinite 
path corresponds to a closed execution fragment yj41 of B for i, 0 <i such that yj.1./5/ate = x, 
Vi+1-lstate = x' and frace(yj41) = trace(aj+1). By Lemma 4.7, y = y1 ^ y2 ^ ...isan execution of 
B and by Lemma 3.9, trace(y) = trace(y1) ^ trace(y2) . . .. Since trace(yj41) = trace(oj+1) for all i, 


0 < i, and a is a point trajectory, by Lemma 3.9, we get ¢race(y) = trace(a) = B. 


Example4.36 (A backward simulation relation). This example illustrates the difference between 
forward and backward simulations. We consider two automata A and B and show that a forward 
simulation from A to B does not exist while we exhibit a backward simulation from A to B. 

Let A and B be two comparable automata specified below. The trajectories consist of a set 
of point trajectories. T'his implies that the automaton does not allow time to pass — everything 
happens at time 0. 


X A = (stated) and Xg = {stateB} where: 
stateA is a discrete variable with £ype(state4) = (x A. YA, qA, 8A}, and 
stateB is a discrete variable with £ype(stazeB) = (xg, yp, Yg» 4g, SB}. 


QA = val (X 4) and Qg = val (Xg). We write x4 for the valuation that maps stated to x4, 
yA for the valuation that maps s/a/e/ to y4, etc. Similarly, we write xg for the valuation that 
maps stateB to xg, yg for the valuation that maps s/azeB to yg, etc. 


Ov, = {xa} and Og = {xg}. 


E4 = Eg = (a, b, c} and H4 = Hg = Ø. 


e DA = {(x4, 4, yA), YA, b, JA), (YA, 0, $4)), and 
Dg = ((xs. a. yp). (xn. a. Yg), (YB, b. qp). (yg. c. $B)}- 


e Ta = {p (v) | ve Oy}, and Tg = {p (v) | v € Oz}. 
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Figure 4.9: Difference between forward and backward simulations. 


Figure 4.9 displays automata A and B as directed multigraphs. The nodes in the graph represent 
states and the edges represent discrete transitions where a label on an edge stands for the action 
involved in the transition. 

An obvious candidate for a forward simulation from A to B is the relation 


R = {(%4,xp), (ya. yp). (A. yp)» (QA; qB), (sa. $8). 


However, observe that even though y, and yg are related by R, the execution fragment 
(yA) c (sA) of A cannot be matched by any execution fragment of B starting with state yg. 
Similarly, even though y4 and y; are related by R, the execution fragment p (yA) b p (qA) of A 
cannot be matched by any execution fragment of B starting with y}. Therefore, R is not a forward 
simulation. In fact, there is no forward simulation relation from A to B: there are finitely many possi- 
bilities for forward simulations from A to B and we see that none of them is a forward simulation by 
examining all the possibilities. The main reason for this is that while A makes the nondeterministic 
choice between performing b or c after performing a, B makes its choice earlier at the same time it 
performs a. 

There is, however, a backward simulation from A to B: the relation R defined above is a 
backward simulation. 


4.6.4 HISTORY RELATIONS 


A relation R C Q4 x Qg is a history relation from A to B if R is a forward simulation from A to B 
and R~! isa refinement from B to A. History relations induce a preorder between timed automata. 

An automaton B is obtained from an automaton A by adding history variables if there exists 
a set of variables X such that: 


1. Xg = X4 U X and XA X = Ø; 
2. Og | X4 € Qa; and 


3. relation ((x. y) | y € Qg andy [ X4 = x] is a history relation from A to B. 
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The method of adding history variables is typically used to make it possible to establish an 
implementation relationship using a refinement. If a refinement does not exist from a low-level 
automaton to a higher-level one, it can often be made to exist by adding history variables to the 
low-level automaton. 


Example 4.37 (Adding history variables to obtain a refinement). We cannot show that 
TimedChannel is an implementation of TimedChannel2 from Example 4.27 by using a refinement. 
This is because we have no way of specifying what the subsequence before the pointer should be in 
TimedChannel2 when relating the states of the two automata. This example shows how we can add 
history variables to TimedChannel (actually, we add just one variable) to obtain a new automaton that 
is related to TimedChanne12 by a refinement. 

Let log be a discrete variable whose static type is the same as the static type of queue in 
TimedChannel and let the initial value of 1og be the empty sequence. We define a new automaton 
TimedChannelH whose set of variables consists of the variables of TimedChannel and the variable log. 
The rest of the definition of TimedChannelH is the same as TimedChannel except for the transition 
definition for receive(m). À receive(m) event in TimedChannelH not only removes the first 
message from the message queue but also appends this message to the sequence contained in log. 

Let X1, X2 be the set of variables and Q1, Q2 be the set of states of TimedChannel and 
TimedChannelH, respectively. It is easy to verify that the relation ((x. y) | y € Q2 andy [ X; =x} is 
a history relation from TimedChannel to TimedChannelH. This means that TimedChannelH is obtained 
from TimedChannel by adding a history variable. 

We now define a refinement F from TimedChannelH to TimedChannel2 as follows. In our 
definition we assume the following conventions. Concatenation on the left corresponds to putting 
an element on the front of a queue. Recall also that we use juxtaposition for concatenation of 
sequences. If x is a state of TinedChannelH and y is a state of TimedChanne12, then F(x) = y where: 


1. y(now) = x(now); 
2. y (queue) = x(1og) ^ x(queue); 
3. y(ptr) = |x(1og)| + 1. 
Whenever an automaton B is obtained from A by adding history variables, then there exists 


a history relation from A to B by definition. Theorem 4.38 states that the converse also holds, if 
weakly isomorphic automata are considered. 


Theorem 4.38 Let A and B be two comparable TAs. Suppose that there 1s a history relation from A 
to B. Then, there exists a TA C that is weakly isomorphic to B and is obtained from A by adding history 


variables. 
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Proof. Assume, without loss of generality, that X 4 and Xg are disjoint. Let R be a history relation 
from .A to B. Define automaton C as follows: 


€ Xc =X4U Xp. 

* Oc = {x e val (Xe) | (xX[ Xa x[ Xp) € R}. 
* Oc = {x e Oc | x[ Xp € Og}. 

* Ec = Eg and He = Hg. 

* x 5c y if and only ifx [ Xg gy [ Xg. 

e Te = (x € trajs(Qc) | v [ XB € TB}. 


Let F : Qc — Qs be the projection function such that F(x) = x [ Xg for all x € Qc. It is 
easy to check that F is a weak isomorphism from C to B. We verify that C is obtained from A by 
adding history variables. Let Xg be the variable set X required in the definition of a history variable 
and let R’= ((x.y) | y € Qc ^y [ Xa =x}. We need to show that R' is a history relation from A 
toC. 


1. R' is a forward simulation from A to C. 
By definitions of the relations F, R’ and the automaton C, R’ = F7! o R. Since F7! isa 
refinement from B to C, by Theorem 4.29, we know that it is a forward simulation from B to 
C. Since R is a forward simulation from .A to B, by Theorem 4.22 we have R' is a forward 
simulation from .A to C, as needed. 


2. R’~| is a refinement from C to A. 
We use that R^! = R~! o F. Since F is a refinement from C to B and R7! is a refinement 
from B to A, by Theorem 4.30, we have R'^l is a refinement from C to A, as needed. 


In the untimed case, forward simulations are essentially the same as history relations (or 
variables) combined with refinements [85, Theorem 5.8]. Clearly, since history relations and refine- 
ments are both special cases of forward simulations, and since forward simulations compose, forward 
simulations are at least as powerful as arbitrary combinations of history relations and refinements. 
Conversely, if there is a forward simulation from A to B then there exists an automaton C with 
a history relation from A to C and a refinement from C to B. In [87], a corresponding result is 
claimed for timed automata (Theorem 7.8), but the proof turns out to be flawed. Example 7.13 of 
[87] constitutes a counterexample to Theorem 7.8 of [87]. Below, we have translated the example 
to the setting of this monograph. 


Example 4.39 (Forward simulations more powerful than combination history relations and re- 
finements). Consider the automata A and B specified in Figure 4.10. The two automaton definitions 
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automaton A automaton B 
signature signature 
external a external a 
states states 
init: Bool := true, init: Bool := true, 
now: Real :— O now: Real := 0 
transitions transitions 
external a external a 
pre pre 
init ^ rational (now) init A integer (now) 
eff eff 
init := false init := false 
trajectories trajectories 
evolve evolve 
d(now) = i d(now) > 0 


Figure 4.10: The power of forward simulations. 


are very similar. Whereas in A an a-action is enabled when init = true and the value of now is a 
rational number, in B an a-action is enabled when init = true and the value of now is an integer. 
Whereas automaton A has a perfect clock with rate 1, automaton B measures time with a clock that 
may run either too slow or too fast, in an arbitrary fashion. 

It is easy to check that the predicate 


natural(B.now) A A.init = B.init 


determines a forward simulation from A to B. However, there does not exists a timed automaton 
C with a history relation from A to C and a refinement from C to B. The proof is by contradiction: 
suppose C is such a timed automaton. Let xo be a start state of C, let F be a history relation from A 
to C, and let R be a refinement from C to B. Then, by the start condition of a history relation, the 
start state (0, true) of A is related to xo by F. By the start condition of a refinement, R maps xo 
to the start state (0, true) of B. Since in A there is a trajectory with limit time 1 from (0, true) to 
(1, true), the transfer property for F gives that in C there is a trajectory t with limit time 1 from 
xq to some state x; that is related by F to (1, true). Next, the transfer property for R gives that in 
B there is a trajectory with limit time 1 from (0, true) to state R(x;) = (t, true), for some t > 0. 
Since state (1, true) in A enables an a-action, x; enables an execution fragment in which an a-action 
takes place within 0 time. Since x; is mapped by R to (t, true), it follows by the transfer property 
for R that f in fact equals some natural number n > 0. By Axioms T1 and T2, we can write t as the 
concatenation To T, :-: 7, of n+ 1 trajectories that all have limit time LI Using the fact that F 
is a history relation and the limit times of the trajectories v; are rational, we may infer that the last 
state of each trajectory v; enables an execution fragment in which an a-action takes place within 0 
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time. Using the fact that R is a refinement, we may infer that there is a trajectory in B from (0, true) 
to (n, true) on which there are at least n + 2 states (including the first and last state) in which an 
a-action is enabled. This contradicts the fact that in B actions a are only enabled at integer times, 
which implies that there are only n + 1 such states on any trajectory from (0, true) to (n, true). 


4.65 PROPHECY RELATIONS 


A relation R C QA x Qg is a prophecy relation from A to B if R is a backward simulation from A 
to B and R^ is a refinement from B to A. Prophecy relations induce a preorder between timed 
automata. 

An automaton B is obtained from an automaton A by adding prophecy variables if there exists 
a set of variables X such that: 


1. Xg = X4 U X and XA X = 0; 
2. Og | X4 € Qa; and 


3. relation ((x, y) | y € Qg and y [ XA =x} is a prophecy relation from A to B. 


Example 4.40 (Adding prophecy variables to obtain a refinement). We consider adding a prophecy 
variable to the automaton A from Example 4.36. Let C be the automaton defined as follows. 


e Xe = XA U {v} where v is a discrete variable with zype(v) = (b, c}. 


°. Qc — (xc. xo. yc. ye» qc: sc) such that 
xc [ XA = x4 and xç (v) = b 

xo [ X4 = xA and xo(v) =c 

yc [XA — ya and yc(v) = b 

yc [XA — ya andy; (v) 2 c 

qc [ X4 = qa and qc(v) = b 

sc [ XA = s4 andsc(v) = c 


* Oc = {xc, xp}. 

* Ec = {a,b,c} and He = Ø. 

* De = (Gc. a, yc), (x6. a, ye), (yc, b, qe), (ye. c Sc)}- 
* Tc = (e| v € Qc}. 


Figure 4.11 displays automata A and C as directed multipgraphs. 


Relation R= ((x4. xc). (X4. xc). (YA, yc). (YA, ye)» (GA; qc), (S.A, sc)) is a backward simu- 
lation from A to C and R^! is a refinement. Therefore, C is obtained by adding a prophecy variable 
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a b 


b dA Xc - Yc - qc 
ü "m 
XA YA 


Figure 4.11: A prophecy variable. 


to A. Note that there is no refinement from A to B defined in Example 4.36. However, relation 
F = ((xc. xg). (xe. xp). (e. YB), (ye. yp). (Gc, qp). (Sc, sg)} is a refinement from C to B. 


Theorem 4.441 Let A and B be two comparable TAs such that V.4 and Vg are disjoint. Suppose that 
there is a prophecy relation from A to B. Then, there exists an automaton C that is isomorphic to B and is 
obtained from A by adding prophecy variables. 


Proof. The proof is analogous to the proof of Theorem 4.38. We assume a backward simulation 
relation R instead of a forward simulation relation. We construct the automaton C as in Theorem 4.38 
and verify that it is obtained from A by adding a prophecy variable. 
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CHAPTER 35 | 


Operations on Timed Automata 


In this chapter we introduce three kinds of operations on timed automata: parallel composition, 
hiding, and adding lower and upper bounds for tasks. 


5.1 COMPOSITION 


The composition operation for timed automata allows an automaton representing a complex system 
to be constructed by composing automata representing individual system components. Our compo- 
sition operation identifies external actions with the same name in different component automata. 
When any component automaton performs a discrete step involving an action a, so do all component 
automata that have a as an external action. The composition operator for timed automata is simpler 
than it is for general hybrid automata since all the variables in a timed automaton are internal.! All 
the proofs of this section are as in [79], with simplifications due to the absence of external variables. 


5.1.1 DEFINITIONS AND BASIC RESULTS 


Formally, we say that timed automata A; and A2 are compatible if Hı N A2 = H2 A; = Ø and 
X4 X» = Ø. If A; and Az are compatible then their composition A|| A2 is defined to be the 
structure A = (X, Q, O, E, H, D, T) where 


*X—X(0UX» 

e Q = {x € val(X) |x [Xj € Qiie {1, 2}; 
*@O={xe O|x[ X; € 0,7 € (1, 2}} 

* E = E; U Ez and H = H; U H5; 


* Foreachx,x’ € Qandeacha € A,x x x’ iff fori € (1,2), either (1) a € A; andx [ X; ; 
x’ [ X;, or (2) a ¢ Aj andx [ X; =x’ [ Xj; 


e T C trajs(Q) is given byt ET St | Xi e T,i € {1,2}. 


Theorem 5.1 IfA; and An are compatible timed automata then A; || A2 is a timed automaton. 


1The composition operation for general hybrid automata requires external variables to be identified as well as external actions. 
When any component automaton follows a particular trajectory for an external variable v, then so do all component automata of 
which v is an external variable. 
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The following "projection lemma" says that execution fragments ofa composition of timed au- 
tomata project to give executions fragments ofthe component automata. Moreover, certain properties 
of the fragments of the composition imply, or are implied by, similar properties for the component 
fragments. 


Lemma 5.2 Let A= Aj||A2 and let a be an execution fragment of A. Then o [(A1, X1) and 
a [(A2, X2) are execution fragments of A, and An, respectively. Furthermore: 


1. a is time-bounded iff both a [(A1, X1) anda [(A2, X2) are time-bounded; 
2. a is admissible iff both a (Ai, X1) anda [ (A2, X2) are admissible; 
3. a is closed iff both a [ (A1, X1) anda [(A2, X2) are closed; 
4. a is nonZeno iff both a [(A1, X1) and a [ (A2, X2) are nonZeno; 
5. a is an execution iff both a (A1, X1) anda | (A2, X2) are executions. 
The following lemma says that we obtain the same result for an execution fragment o of a 


composition if we first extract the trace and then restrict to one of the components, or if we first 
restrict to the component and then take the trace. 


Lemma 5.3 Let A= Aj||A2, and let a be an execution fragment of A. Then, for i € {1,2}, 
trace(a) [(E;, Ø) = trace(a | (Aj, X;)). 


Proof. Straightforward, using the definition of trace() and Lemma 3.10. 


The following two theorems are fundamental results that relate the set of traces of a composed 
automaton to the sets of traces of its components. Theorem 5.4 is due to Gilbert [37][ Lemma 
11.14.1]. The proof closely follows the proof of Theorem 5.7 in [79]. 


Theorem 5.4 Let A = Ai || A2. Let ot; be an execution fragment of Aj, i € {1, 2}. 

Let P be an (E, W)-sequence, where E is the set of external actions of A. Suppose that B [ (Ei, Ø) = 
trace(aj), i € {1,2}. Then there exists an execution fragment a of A such that trace(a) = B and aj = 
a [(Ai, Xi), i € {1, 2}. 


Theorem 5.5 Let A = Aj||Az2 and let E be the set of external actions of A. Then traces A is exactly the 
set of (E, V)-sequences whose restrictions to A1 and An are traces of. ‘A and Ao, respectively. 
That is, traces A = (B | B isan (E, %)-sequence and B |(E;, Ø) € tracesA;, i € {1, 2}}. 
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Proof. We prove both inclusions. 

Suppose that P € fraces 4. Then by definition £ is an (E, f/)-sequence. Let œ be an execution 
of A with ¢race(a) = B. Then, by Lemma 5.2, o [ (Ai, Xi) is an execution of A;, and, by Lemma 5.3, 
B [(Ej, Ø) = trace(a [CA;, X;)). Hence B [(E;, Ø) € traces A;. 

For the other inclusion, suppose £ is an (E, f/)-sequence and B [(E;, Ø) € ¢races4,,i € {1, 2}. 
Then there exist execution fragments a; of A; such that ¢race(a;) = B [(E;, Ø). Hence, by Theo- 
rem 5.4, there exists an execution fragment o of A with £race(o) = B. This implies B € £races A, as 


required. 


These basic results about composition can be extended to arbitrary finite numbers of compo- 
nents instead of just two. 


Notation: ‘The compatibility conditions for composition require the set of internal variables of 
each automaton to be disjoint from the set of internal variables of all the other automata in the 
composition. We use a general scheme to disambiguate the internal variables of components in 
order to avoid possible name clashes that can violate the compatibility conditions. If A is the name 
of an automaton and v is an internal variable of A, then we refer to this variable as A.v in the 
composite automaton. But if no confusion is possible, we write v rather than A.v. 


Example5.6 (Periodic sending process with timeouts). Let C be the composition of three automata 
from Examples 4.1, 4.2, and 4.4: 


C = PeriodicSend || TimedChannel || Timeout 


where M = {m1,...,mn} and b+ u1 < u2. In a setting where b < u1, the following sequence is a 
trace of C: 


a = ul send(m1) b receive(m1) ul — b send(m2) b receive(m2) ul =b ... 


where f denotes the trace with as domain [0, t] and as range the set consisting of the function with 
the empty domain. The following invariant states that C never performs a timeout action. 


Invariant 4 In any reachable state x of C, (suspected) = false. 


In order to prove this invariant we can use auxiliary invariants for the component automata, 
such as the one established in Example 4.15, and an auxiliary global invariant such as the one below, 
which establishes the fact that every message is delivered before the variable Timeout . clock reaches 
the point at which a timeout action occurs. 


Invariant 5 In any reachable state x of C: 


1. ifx(queue) is not empty then there is a packet p such that 
p € x(queue) and p.deadline — x(now) < u2 — x(Timeout . clock); 
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2. ifx(queue) is empty then 
u1 — x(PeriodicSend.clock) + b < u2 — x(Timeout.clock). 


Example 5.7 (Periodic sending process with failures and timeouts). In this example, we consider 
a composite automaton defined exactly like the one in Example 5.6 except that the automaton 
PeriodicSend is replaced with PeriodicSend2, the periodic sending process with failures. Let C - 
PeriodicSend2 || TimedChannel || Timeout. The following sequence is a trace of C: 


ul send(m1) b receive(mi) b fail u2 b timeout 0. 


According to this sample trace, the first message sent by the periodic sending process is received 
exactly b time units after it is sent. T'he periodic sending process fails 2 x b time units after sending 
its first message. The timeout process performs a timeout since no second message arrives within 
the next u2 time units after the receipt of the first message. 

The following invariant states that a timeout performed by C can be used to conclude that 
the sender process has failed. We assume again that b + ul < u2. 


Invariant 6 In any reachable state x of C, 
x(Timeout.suspected) — x(PeriodicSend2.failed). 


The automaton C is guaranteed to perform a timeout to signal the failure of a process, within 
a specified amount of time after the occurrence of a fail event. The following is a formal statement 
of this property. 

Let o be an admissible execution of C in which a fail event occurs. Let t be the point in 
time at which the first fail event occurs in œ. Then a timeout event occurs in a in the interval [t 
+ u2 - ul,t + b + u2]. 


Example 5.8 (Clock synchronization). In this example, we consider the composition of three 
clock synchronization automata with six time-bounded channel automata. A graphical represen- 
tation of the composite automaton is given in Fig. 5.1. The abbreviation C$; represents the au- 
tomaton ClockSync(u, r, i) from Example 4.6. The abbreviation TC;,; represents the automaton 
TimedChannel from Example 4.1, the time-bounded channel with maximum delay b, but with the 
send (m) and receive (m) actions renamed to send (m, i) and receive(m,i,j), respectively, to 
enable communication of real-valued messages from ClockSync(u, r, i) to ClockSync(u, r, j). 
Let 
C = CS || CS2 || CS3 || TC12 || TC2,1 || 7 C13 || TC3,1 || TC2,3 || TC3,2. 


A physical clock diverges from real time at the largest rate when it evolves with rate (1 + r) or (1 
- r). For example, if a physical clock evolves with rate 1 + r, then at time f, its value ist x (1 + 
r). Hence, the largest possible difference between a physical clock and the real time is (t x r). This 
property is stated by the invariant below. 
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receive(m), ; send(m)5 


send(m); receive(m), 2 


send(m)5 


send(m), 


receive(m)3 4 receive(m), 5 


send(m)3 send(m)3 


Figure 5.1: Clock synchronization network. 


Invariant 7 In any reachable statex of C, at any timet € T, for anyi € {1, 2, 3}, 
Ix(CS;.physclock) —?t| € f xr. 


Two physical clocks in C diverge at the largest rate when one evolves with rate (1 + r) and 
the other with (1 - r). It follows from Invariant 7 that, at any time t the largest possible difference 
between the physical clock values for two processes is 2 x t x r. This property is formalized by the 
following invariant. 


Invariant 8 In any reachable state x of C, at any time t€ T, for any i,j €{1,2, 3}, 
Ix(CS;.physclock) — x(CS j.physclock)| < 2 x t x r. 


The following invariant states that in any reachable state there exists a process j such that the 
logical clock of each other process in the system is smaller than or equal to the physical clock of j. 
This follows from the definition of a logical clock and the fact that physical clocks always increase. 


Invariant 9 In any reachable state x of C, there exists j € {1,2,3} such that for all i € {1,2,3}, 
x(CS;.logclock) < x(CSj.physclock). 
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The following invariant states that in any reachable state there exists a process j such that the 
logical clock of each other process in the system is larger than or equal to the physical clock of j. 
This follows from the definition of a logical clock. 


Invariant 10 Jn any reachable state x of C, there exists j € {1,2,3} such that for all i € (1, 2, 3}, 
x(CS;.logclock) > x(CS;.physclock). 


Invariants 9 and 9 together are called validity properties. They express the condition that all 
the logical clocks remain in an envelope bounded by the maximum and minimum physical clock 
values in the system. The following invariant formalizes the property that all the logical clocks at a 
given time lie within the envelope formed by the largest and the smallest physical clock values in 
the system. It follows from Invariants 7,9, and 10 that any point in this envelope can diverge from 
real time t by at most t x r time units. 


Invariant 11 In any reachable statex of C, at any timet € T, foranyi € (1,2, 3}, IxX(CS;.1ogclock) — 
t| xtxr. 


Finally, we state a property about the agreement oflogical clocks in C. It says that the difference 
between two logical clocks is always bounded by a constant (which depends on the message-sending 
interval and the bounds on clock drift and message delay). 


Invariant 12 In any reachable state x of C, for all i, j € (1, 2, 3), 
Ix(CS;.1ogclock) — x(CS;.logclock)| < u + (b x (1 + r)). 


To see why Invariant 12 holds, fix j to be a process with the largest physical clock in x, and 
fix i to be any other process. Let vj, vj be the logical clock values of j and i, respectively, in state 
x. Note that v; is also the physical clock value of j in x. By Invariant 9, we know that v; < vj. To 
show Invariant 12, it suffices to show that v; — v; < u + (b x (1 + x)). 

Let o be a finite execution that leads to state x. There are two cases to consider. 


1. Some message sent by j arrives at i in a. 
Consider the last such message and let vi be the value that it contains. Let v? be the newly 
adjusted logical clock value of i immediately after the message arrives. We know that v; > 
v2 — VJ. 


If j sends a later message to i in a, then it sends the next later message when its physical clock 
has value vı + u. By assumption, this message does not arrive at i. Therefore, the real time that 
elapses after sending it must be at most b. It follows that the physical clock increase of j since 
sending this message is at most b x (1 + r) and so v; < vı +u+b x (1 + r). On the other 
hand, if j does not send a later message to i in œ, then v; < vı + u. In either case, we have 
vj € vj c ud b x (1 4 x). Since vj > vj, we have vj — vj < u+b x (1 + r), as needed for 
Invariant 12. 


2. No message sent by j arrives at i in a. 
Since the first send occurs at time 0 and b is the largest possible communication delay, the 
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fact that i has not received the first message sent by j at time 0 implies that t < b. Since both 
clocks start at 0, we have v; < b x (1 + r) and v; > 0. Therefore, vj — vj < u +b x (1 +r), 
which suffices for Invariant 12. 


5.1.2  SUBSTITUTIVITY RESULTS 


Theorem 5.5, which relates the set of traces ofa composed automaton to the set of traces of component 
automata, is fundamental for compositional reasoning. We now introduce another important class 
of results, substitutivity results, that are useful for decomposing verification of composite automata. 
These results are best understood by viewing one of the components of a composition as the system 
and the other as the environment with which the system interacts. 

The following result states that if a TA A; can be shown to implement another one A2, 
with no assumptions about their environments, then A; can be shown to implement A7 in a given 
environment B. 


Theorem 5.9 — Suppose A1, A2, and B are TAs, Ay and An are comparable, and each of Ay and Az is 
compatible with B. If Ay < Az then AlB < .A2|[B. 


Commutativity of the composition operation together with repeated application of Theo- 
rem 5.9 gives the following corollary. 


Corollary 5.10 Suppose Aj, A2, By, and Bz are TAs, Ay and Az are comparable, By, and By are 
comparable, and each of A, and Az is compatible with each of B; and By. If Aj € Az and Bı < B2 
then Aj||B, < Az||Bo. 


We can strengthen Corollary 5.10 slightly by the following corollary: if A; implements Aj in 
an environment By, then A; composed with an environment that is more restrictive than By (whose 
set of external behaviors is smaller than that of Bz), implements Az composed with B». 


Corollary 5.11 — Suppose Aj, A2, By, and Bz are TAs, Ay and An are comparable, By, and B» are 
comparable, and each of A, and Az is compatible with each of Bi and B». If .A1||Bo < .A2||Bo and 
Bi < B» then A\||B, < A2||Bo. 


Proof. Let B € traces 4,\\B,. By Theorem 5.5, B [(E,4,, Ø) € £races4, and B [(Ep,, Ø) € rracesg,. 
Since B1 < Bo, B [(Eg,, Ø) € tracesg,. Since B1 and B» have the same external actions, it follows 
that B [(Eg,, V) € tracesg,. We have B [(E.4,, Ø) € £racesa, and B [(Ep,, Ø) € tracesp,. By Theo- 
rem 5.5, B € traces A, |B. Since .A1||Bo < A2||B2 by assumption, B € £races A; i15, as needed. 
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The following corollary assumes that A; implements A2 in an auxiliary context 63 and 
symmetrically, that B1 implements B» in an auxiliary context A3. A3, and B3 might express weaker 
constraints than A2 and B», for instance, just their safety restrictions. The corollary further assumes 
that .A1||B1 implements A3||63—a fact that might be easy to show if the constraints expressed by 
A; and B3 are sufficiently weak. The conclusion, as before, is that Aj ||B; implements A2|| Bp. 


Corollary 5.12 — Suppose A1, A2, A3, B1, Bo, and B3 are TAs such that Aj, A2, and Ax have the 
same external actions, B, B2, and B3 have the same external actions, and A; is compatible with Bj for 


i, j € (1, 2, 3}. Suppose further that: 

1. Aj||Bi x A3||Bs; 

2. Aj||B3 x A2||B3 and A3||Bi < A3||B2. 
Then Aj||B, < A2||B2. 


Proof. Let B be a trace of Aj||B,. By projection using Theorem 5.5, B [(E.4,, Ø) € traces A, 
and B [(Eg,, Ø) € £racesp,. Since Aj||B; < A3||B3, we know that f € traces 4,)\B,. By projection 
using Theorem 5.5, B [(E A3, Ø) € £racesA, and B [(Eg,, Ø) € £racesg,. By pasting using Theo- 
rem 5.5, we have B € races A, jg, and B € traces A s, . By Assumption 2, we get B. € traces A, |, and 
B € traces A,|B,. Then, by projection using Theorem 5.5, B [(EA,, Ø) € traces 4, and B [(Ep,, Ø) € 
tracesp,. Finally, by pasting using Theorem 5.5, we have f € fraces,A,|B,, as needed. 


For other preorders, we also get substitutivity results, for example: 


Theorem 5.13 — Suppose Aj, A2, and B are TAs, A, and Az have the same external actions, and each 
of A, and Az is compatible with B. 


1. If every closed trace of. A1 ds a trace of Ao then every closed trace of A ||B zs a trace of A2||B. 


2. If every admissible trace of A1 ds a trace of A2 then every admissible trace of Aj ||B zs a trace of 
A2||B. 


3. Ifevery nonZeno trace of A, is a trace of Az then every nonZeno trace of Ai ||B is a trace of A2||B. 


Example 5.14 (A counterexample for a desirable substitutivity theorem). 

Suppose A; and Az have the same external actions, B1 and By have the same external 
actions, and that each of A; and Az is compatible with each of B, and Bp. If we view Az and B» as 
specifications and want to prove that .A1||Bi < A2||2, it would be useful to have a theorem that 
says if Aı ||B2 < Ap||Bz and .A2]|B1 < .A2||B» then .Ai1||B1 < 42 ||Bo. That is, if A; implements 
Az in the context of B» and B, implements B» in the context of A2, we would like to conclude that 
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automaton CatchUpA 
signature 
external a, b 
states 


counta: Nat := 0, countb: Nat := 0, 
now: Real := 0, next: discrete Real := 0 
transitions 
external a external b 
pre eff 
(counta < countb) countb := countb + 1; 
A (now = next) next := now + 1 
eff 
counta := counta + 1; 
next :— now + 1 
trajectories 
stop when 
now — next 
evolve 
d(now) — 1 
automaton CatchUpB 
signature 
external a, b 
states 
counta: Nat :— 0, countb: Nat :- 0, 
now: Real :— 0, next: discrete Real :— 0 
transitions 
external a external b 
eff pre 
counta :— counta + 1 (countb + 1) < counta 
next := now + 1 A now = next 
eff 
countb := countb + 1; 
next :— now + 1 


trajectories 
stop when 


now — next 
evolve 
d(now) — 1 


Figure 5.2: CatchUpA and CatchUpB. 
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automaton BoundedAlternateA 
signature 
external a, b 
states 
myturn: Bool := true, 
maxout: Nat 
transitions 


external a external b 
pre eff 
myturn ^ (maxout > 0) myturn :— true 
eff 
myturn :— false; 
maxout :— maxout - 1 


automaton BoundedAlternateB 
signature 
external a, b 
states 
myturn: Bool :— false, 
maxout: Nat 
transitions 


external a external b 
eff pre 
myturn :— true myturn ^ (maxout > 0) 
eff 
myturn :— false; 
maxout :— maxout - 1 


Figure 5.3: BoundedAlternateA and BoundedAlternateB. 


A1||B1 implements A? ||B2. We show by means of a counterexample that it is impossible to prove 
such a theorem. The problem arises with the infinite behaviors of Aj ||Bo. 

As examples for A;, 51, A2, and B», consider, respectively, the automata CatchUpA, CatchUpB, 
BoundedAlternateA, BoundedAlternateB in Figs. 5.2 and 5.3. All automata have the same set of 
actions, consisting of the external actions a and b. CatchUpA can perform an arbitrary number of b 
actions, and can perform an a provided that counta < countb and one time unit has elapsed since 
the occurrence of the last action. CatchUpA allows counta to increase to one more than countb. 
CatchUpB can perform an arbitrary number of a actions, and can perform a b provided that counta 
is at least one more than countb. CatchUpB allows countb to reach counta. 

BoundedAlternateA has an infinite number of start states, each giving a different finite bound 
on the number of a actions it can perform. Similarly, BoundedAlternateB has an infinite number of 
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start states, each giving a different finite bound on the number of b actions it can perform. Note 
that the absence of trajectory definitions in the specifications of these automata imply that they are 
timing-independent. That is, there is no constraint on the timing of actions. 

The automata CatchUpA and CatchUpB strictly alternate a's and b's until a maximum count is 
reached, when put in the context of, respectively, BoundedAlternateA and BoundedAlternateB. Hence, 
on the one hand 


(CatchUpA||BoundedAlternateB) < (BoundedAlternateA||BoundedAlternateB), 


and 
(BoundedAlternateA||CatchUpB) < (BoundedAlternateA||BoundedAlternateB). 


On the other hand, (CatchUpA||CatchUpB) can perform an infinite sequence of alternating a 
and b actions, which is not allowed allowed by (BoundedAlternateA||BoundedAlternateB). Hence, 
(CatchUpA||CatchUpB) does not implement (BoundedAlternateA||BoundedAlternateB). 


In Chapter 8, we revisit the substitutivity issue and prove Theorem 8.8,a variant of the desirable 
theorem considered in the above example, by assuming certain conditions on the environments A 


and 55. 
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We now define an operation that "hides" external actions of a timed automaton by reclassifying them 
as internal actions. This prevents them from being used for further communication and means that 
they are no longer included in traces. The operation is parametrized by a set of external actions: 

If A is a timed automaton and E C E 4, then ActHide(E, A) is the structure B that is equal 
to A except that Eg = E4 — E and Hg = H4 U E. Itis immediate from the definitions that hiding 
is a well-defined operation on TAs. 


Lemma5.15  JfE C EA then ActHide(E, A) isa TA. 


The following lemma characterizes the traces of the automaton that results from applying a 
hiding operation. 


Lemma5.16  Jf.AisaTAand E C E4 then tracésActHideg, A) = UB (EA — E, Ø) | B € traces 4}. 
Using Lemma 5.16, it is straightforward to establish that the hiding operation respects the 
implementation relation. 


Theorem5.17 Suppose Aand B are TAs with A < B, and suppose E C. EA. ThenActHide(E, A) < 
ActHide(£, B). 
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Example 5.18 (Clock and manager). Consider a simple system consisting of a “clock” and a 
“manager”. The clock ticks once every [c1, c2] time units and the manager issues a “grant” within b 
time units after counting k > 0 ticks. We assume 0 € b < c1 < c2. The problem is to prove upper 
and lower bounds on the time between successive grant actions. 

Figure 5.4 gives a formal specification of the clock in terms of the TA Clock(c1, c2) and the 
manager in terms of the TA Manager(k, b). The full system with the tick actions hidden can be 
defined by 

System = ActHide({tick}, Clock||Manager). 


Consider the automaton Specification displayed in Fig. 5.5. This automaton is equal to Clock, 
except for some renamings. We claim that the manager issues a grant once every [c1 k — b, c2 * 
k + b] time units. An equivalent formulation of this claim is: 


System < Specification(c1 * k — b, c2: k + b). 
In order to prove the claim, one may first establish that the predicate 
Inv20<x< c2 A (count =0>x=y<b)AO < count < k 
defines an invariant of System, and use this to verify that the conjunction of Inv and 
c1 x (k — count) — b < z— x € c2* (k — count) 


defines a forward simulation from System to Specification(c1 *k—b,c2*k+b). 
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In this section, we define a new class of automata, “TA with bounds” where the basic definition 
of a timed automaton is extended with the notion of a task and a pair of bounds (a lower and an 
upper bound) for each task. We then define an operation that transforms a given TA with bounds to 
another TA. This operation supports specifying a system by thinking in terms of tasks and bounds 
as in the timed automata of Merritt e¢ al. [91] and the phase transition systems of Maler eż al. [88]. 

In defining the operation for extending timed automata with bounds, we restrict attention to 
a class of automata where the enabling and disabling of actions during trajectories follow certain 
rules. Specifically, our operation is defined on automata in which each action is enabled or disabled 
throughout an entire trajectory, or becomes enabled once during a trajectory and remains so until 
the end of that trajectory. The given restrictions ensure that the result of applying the operation to 
a TA is another TA and that the resulting TA satisfies the restrictions. 

Let A be a TA, C a set of actions of A, and 7 the set of trajectories of A. We say that T 
is well-formed with respect to C if for each t € 7 and for each t € dom(r) both of the following 
conditions hold: 
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automaton Clock(ci, c2: Real) where 0 < ci ^ cl < c2 


signature 
external tick 
states 
x: Real := 0 
transitions 
external tick 


pre 
x > cl 
eff 
x = 00) 


trajectories 
stop when 
x = c2 
evolve 


d(x) = 1 


Int, b: Real) where b>OAk>0O 


automaton Manager (k: 
signature 


external tick, grant 
states 

y: Real := 0, 

count : Int :— k 
transitions 

external tick 

eff 
count : count = 1; 


if count = 0 then y := 0 


external grant 


pre 
count — O 
eff 
count :— k 
trajectories 
stop when 
count =. 0 ^ 
evolve 


d(y) =1 


Figure 5.4: Automata Clock and Manager. 


1. (Stability) If C is enabled in c(t) then for all t’ € dom(t) with t < t’, C is enabled in c(t"). 


2. (Left-closedness) If C is not enabled in c (f) then there exists a t’ € dom(t) with t < t’ such 


that C is not enabled in c (f^). 
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automaton Specification(lb, ub: Real) where 0 < 1b ^ 1b < ub 
signature 
external grant 
states 
z: Real := 0 
transitions 
external grant 


pre 

z > lb 
eff 

z :—0 


trajectories 
stop when 
z — ub 
evolve 


d(z) = 1 


Figure 5.5: Automaton Specification. 


A TA with bounds, A = (B, C, l, u) consists of: 
* A timed automaton B = (X, Q, O, E, H, D, T). 


e AsetC C EUH ofactions called a żask; we assume that 7 is well-formed with respect to C. 


* A lower time bound / € R7? and an upper time bound u € R=° U (oo) with I < u. 


Lower and upper bounds are used to specify how much time is allowed to pass between the 


enabling and the performance of an action. If / is the lower bound for a task C, then an action in C 


must remain enabled at least for / time units before being performed. If u is the upper bound for a 


task C, then an action in C can remain enabled at most u time units without being performed: it 


must either be performed or become disabled within u time units. 


We now define an operation Extend, which transforms a TA A with bounds to another TA 
A’ that incorporates the new bounds, in addition to the timing constraints already present in A. 


Let A = (B, C,1, u) bea TA with bounds where B = (X, Q, ©, E, H, D, T). Then Extend(.A) 


is the TA A’ = (X', Q', ©’, E', H', D', T^) where 
* X' = XU (now, first, last} where: 


1. now, first, and Jast are new variables that do not appear in X. 


2. now is an analog variable such that zype(now) = R. 


3. first and last are discrete variables where ¢ype(first) = R and £ype(/ast) = R U {oo}. 


© Q' = {x € val(X’) | xf X € Qh. 
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* ©’ consists of all the states x € Q’ that satisfy the following conditions: 


1.x[X«e«989. 
2. x(now) = 0. 


3. x(first) = | l if C is enabled inx [ X, 


O otherwise. 
u  ifCisenabledinx[| X, 
cO otherwise. 


x(/ast) = | 


- E' = E and H' = H. We write A! È E'U H'. 
* Ifa € A’ then (x, a,x’) € D' exactly if all of the following conditions hold: 


i TX a4 @ TX). 
2. x' (now) = x(now). 
3. (a) Ifa € C, then x(first) € x(now). 
(b) If C is enabled both in x [ X and x' [ X and a ¢ C, then x(first) = x' (first) and 
x(/ast) = x' (last). 
(c) If C is enabled inx' [ X and either C is not enabled inx [ X ora € C, then x’ (frst) = 
x(now) + l and x' (las?) = x(now) + u. 
(d) If C is not enabled in x’ [ X, then x' (frst) = 0 and x'(/as£) = oo. 


* T’ isa set that consists of all t € £rajs(Q") that satisfy the following conditions: 


1.01 X) eT. 
2. d(now) — 1. 
3. (a) Ifforallt € dom(t),C isenabledint | X (t) then first and /as£ are constant through- 
out T. 
(b) If for all t € dom(r), C is disabled in t |, X(t) then first and /as£ are constant 
throughout r. 
(c) Iffor allt’ € [0, t), C is disabled in t (^) and for all t’ € dom(r) — [0, t), C is enabled 
in t (1^) then 
i. first and Jast are constant in [0, f). 
il. T(t) (first) = v(t)(now) + l and T(t) (last) = t(t)(now) + u. 
iii. first and /as£ are constant in dom(t) — [0, t). 


(d) now < last. 


The transformation is based on the idea of augmenting the state of the original automaton 
with a variable to represent current time (now) and the earliest time (frst) and the latest time (/as7) 
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a task can be performed. All these variables represent time in absolute terms. Item 3(a) in the 
definition of D’ expresses the new lower bound constraint and Item 3(d) in the definition of T” the 
new upper bound constraint. 

Let A be a TA with bounds (B, C, I, u). In a start state x of Extend (A), the variables first 
and /as¢ are initialized to / and u, respectively, if C is enabled in x. If C is not enabled in x, then 
first is set to 0 and Jast is set to oo. Items 3(c) in the definition of D' and 3(c) in the definition of 
T” show how the variables first and /as¢ are updated. When C becomes newly enabled by a discrete 
transition or when a C action leads to a state in which C is enabled, first is set to now + | and /asz 
is set to now + u. The variables first and /ast are updated similarly when C becomes newly enabled 
in the course of a trajectory. 


Theorem 5.19 — Suppose that A = (B, C, l, u) isa TA with bounds. Then Extend (A) is a TA with a 
set of trajectories that 1s well formed with respect to C. 


Proof. The proof follows from the definitions of TA and the operation Extend. Step 3(a) in the 
definition of D’ adds a new lower bound constraint, which makes enabling start at some particular 
time. Step 3(b) in the definition of J’, adds a new upper bound constraint, which stops trajectories 


at a particular time and which does not add any enabling or disabling to trajectories. 


In the rest of this section, we sometimes speak of variables, states and traces of a TA with 
bounds. If A = (B, C, L, u) isa TA with bounds, variables, states and traces of A refer to, respectively, 
the states and the traces of the underlying automaton B. 


Theorem 5.20 Suppose A is a TA with bounds. Then traceseytend (A) € traces A. 


Proof. Let F : Q' — Q be defined as follows: F(x) = x [ X where X is the set of internal variables 
of A. It is easy to check that F is a refinement from Extend(A) to A. By Theorem 4.29 and 
Corollary 4.25, we conclude that Zracesgytenq(A) € traces A. 


Lemma 5.21 Suppose that A= (B,C,l,u) is a TA with bounds. For any reachable state x of 
Extend(A), if C is enabled in x [ X in A, then x(last) € x(now) + u. 


Proof. Consider a closed execution a of Extend(A). Using Axioms T1 and T2 for trajectories, 
we can write œ as a concatenation of closed execution fragments œo ^ o ^ ...a@% where o is a 
point trajectory, and each a; for i > 1 is either a trajectory or a discrete action surrounded by two 
point trajectories such that for all 0 <i < k — 1, oj. state = a;+1.fstate. We prove the invariant by 
induction on the length k of the sequence of execution fragments. 

For the base case, suppose that C is enabled in a.fstate [ X. Since « is an execution, we know 
that æo.fstate is a start state of Extend (A). By definition of Extend (A), ao.fstate(/ast) = u. Since 
ao.fstate(now) = 0, ao.fstate(last) < ao.fstate(now) + u, as required. 
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For the inductive step, we assume that the property is true for the sequence ag ^ o1 ^ ... ax 
and show that it is true in the sequence œg+1 in œo ^ 01 ^ ... o ~ æk+1. There are two cases to 
consider depending on whether o.,1 is a discrete action surrounded by two point trajectories or a 
trajectory. 


1. a41 is an action a surrounded by two point trajectories fo (y) and g (y^). Suppose that C is 
enabled in y' [ X in A. There are two subcases to consider: 


(a) C is enabled in y [ X and a ¢ C. 
Then, y'(/as£) = y(/ast) and y'(now) = y(now). By inductive hypothesis, y (/asz) < 
y(now) + u. Therefore, y' (/asz) < y' (now) + u, as needed. 

(b) C is disabled in y [ X ora € C. 
Then, by definition of Extend(.A), y’ (ast) = y' (now) + u, which suffices. 


2. O41 is a trajectory. 
Suppose that C is enabled in a4. ./state [ X in A. There are two subcases to consider: 


(a) C is enabled in ax41.fstate [ X in A. 
By inductive hypothesis a+41.fstate(last) < ax41.fstate(now)+u. By the well- 
formedness assumption, we know that C must be enabled throughout o..1 and by defi- 
nition of Extend(.A) /as is constant throughout o... Since the value of now increases, 
it is easy to see that o4 ./state(Jast) < oa .state(now) + u. 


C is disabled in o/.,1 fstate [ X in A. 
Then, since it is enabled in a1 ./state [ X by the well-formedness assumption, it becomes 


(b 


wm 


enabled at some point t in the domain of ægz+1 and remains enabled thereafter. Therefore, 
043) (last) = a +1 (E) (now) + u, by definition of Extend (A). Since /ast remains con- 
stant after it is set and the value of zov increases, a+  ./state(last) < otg41./state(now) + u 
holds. 


The theorem below shows that the executions of an automaton obtained by applying the 
transformation Extend to a TA with bounds respect the time bounds specified by the lower bound / 
and the upper bound u. 


Theorem 5.22 Let A = (B, C,l, u) be a TA with bounds. Then: 


1. There does not exist a closed execution fragment a of Extend(A) from a reachable state, where 
a.ltime > u, C is enabled in A in all the states of a [(A, X) and no action in C occurs in a. 


2. There does not exist a closed execution fragment a of Extend(A) from a reachable state, where 
a.ltime < l, such that C is not enabled in A in the first state of a [(A, X) and an action in C occurs 
in a. 
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Proof. 1. Suppose, for the sake of contradiction, that there exists a closed execution fragment 
a = T0 41T1 a2... Tn of Extend(A) from a reachable state, where a./time > u, C is enabled 
in A in all the states of  [(A, X) and none of the aj in o is in C. By definition of trajectories 
for Extend(A) it must be the case that a./state(now) < a.lstate(last). 


Since C is enabled in A in all states in a, by Lemma 5.21 we have æ.fstate(last) < 
a fstate(now) +u. By definition of Extend(A), /ast remains constant throughout o; 
therefore, w./state(Jast) = a.fstate(/ast). Since a.fstate(last) < a.fstate(now) + u, it follows 
that a./state(last) < a.fstate(now) +u. By definition of o, we have a./state(now) = 
a.fstate(now) + a./time. It follows that w.fstate(now) + a.ltime < a.fstate(now) + u. This im- 
plies a./time < u. But this gives us the needed contradiction since a./time > u. 


2. We assume that o is a closed execution fragment of Extend(A) from a reachable state where 
a.ltime < l, such that C is not enabled in A in the first state of œ and an action in C occurs in 
a. Let (x, a,x’) be the first discrete transition of Extend (A) in o such that a € C. We show 
that the condition x(first) < x(now), which has to hold for the discrete transition to occur, 
cannot be true, hence arrive at a contradiction. 


By Theorem 5.19, the set of trajectories of Extend(A) is well formed with respect to C. 
Therefore, C can become enabled by either a discrete transition or during a trajectory, and 
remains enabled until the occurrence of (x, a,x’). 


(a) C becomes enabled by a discrete transition and remains enabled in A until the occurrence 
of (x, a,x’). 
Let (y, b, y’) be the discrete transition of A that enables C. By item 3(c) in the definition 
of D' we know that first is set to y (now) + | when C becomes enabled. By item 3(b) in 
the definition of D' and 3(a) in the definition of T’, we know that it remains constant 
so that x(first) = y (now) + l. Since (x, a,x’) is a discrete transition of Extend(A), it 
must be the case that x(first) < x(now). Since x(now) < y(now) + a./time and x(first) = 
y(now) + l it follows that y (now) +1 < y(now) + a./time. But we know by assumption 
that a./time < l which gives the needed contradiction. 


(b 
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C becomes enabled at some point in the course of a trajectory t and remains enabled in 
A until the occurrence of (x, a,x’). 

Let y be a state in the range of t where C becomes enabled. By item 3(c) in the definition 
of T" we know that first is set to y(now) + | when C becomes enabled and it remains 
constant in T so that x(firs?) = y (now) + l. By item 3(b) in the definition of D’ and 
3(a) in the definition of 7”, we know that first remains constant until the occurrence of 
(x, a,x’). Since (x, a,x’) is a discrete transition of Extend (A), it must be the case that 
x(first) € x(now).Sincex(now) < y (now) + a./time andx(first) = y (now) + lit follows 
thaty(now) +1 < y (now) + a./time. But we know by assumption that a./time < l which 
gives the needed contradiction. 
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Example 5.23 (Fischer’s algorithm specified using tasks and bounds). In Example 4.5 we pre- 
sented the specification of Fischer's mutual exclusion algorithm as a TA. This example illustrates an 
alternative way of specifying the same algorithm by using a TA with bounds. 

Recall that, formally, we define a TA with bounds as a TA augmented with a single task along 
with lower and upper bounds for that task. The automaton in Fig. 5.6 is, however, augmented with 
a set of tasks and bounds (we omit from the figure those transition definitions that are the same 
as in Example 4.5). This is for notational convenience and the automaton in Fig. 5.6 should be 
viewed as the automaton representing the cumulative result of adding in successive steps two tasks 
for each index. We assume that Extend is applied once for each task. That is, we start with the 
timing-independent version of FischerME, apply Extend to the automaton augmented with the task 
{set (i)} to add the lower bound 0 and the upper bound u. set, then apply Extend to the resulting 
automaton augmented with {check(i)} to add the lower bound 1. check and the upper bound 
oo. Such two successive applications are allowed since the result of the first application of Extend 
satisfies the the well-formedness conditions for the set of trajectories. 

The result of these successive applications yields an automaton similar to the one in Exam- 
ple 4.5. The only difference is that the mechanical application of the transformation would reset the 
value of firstcheck [i] to Oasan effect of check (i) while we do not reset firstcheck [i] explic- 
itly in Example 4.5, when it becomes disabled. This is because we make use of the facts that the value 
of firstcheck[i] is used only in determining whether check (i) is enabled and that check (i) 
becomes enabled only in the poststate of set (i) which also sets the value of firstcheck [i]. Note 
that this discrepancy does not give rise to any difference in the behaviors of the two automata. 
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type Index — enumeration of pi, p2, p3, p4 


set, check, 


— enumeration of rem, test, 
crit, reset, leaveexit 


type PcValue — 
leavetry, 


automaton FischerME(u set, l1 check: Real) 
where u. set > 0 A l check >0 ^ u set < 1l check 


signature 
rem(i:Index) 


external try(i:Index), crit(i:Index), exit(i:Index), 
internal test(i:Index), set(i:Index), 
check(i:Index), reset(i:Index) 


states 
x: Null[Index] := nil, 
pc: Array[Index, PcValue] :— constant(rem) 
transitions 
internal test(i) 
pre 
peli] = test 
eff 
if x = nil then 
peli] := set 
internal set(i) 
pre 
peli] = set 
eff 
x := embed(i); 
peli] := check 
internal check(i) 
pre 
peli] = check 
eff 
if x = embed(i) then pc[i] := leavetry 
else pc[i] := test 
tasks 
set = {set(i)} for i: Index; check = {check(i)} for i: Index 


bounds 
set = [0, u_set]; check = [1.check, 


infty] 


Fischer’s mutual exclusion algorithm with bounds. 


Figure 5.6: 
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CHAPTER. 6 | 


Properties for Timed Automata 


In this chapter, we define the notion of a property for hybrid sequences and define some common 
types of properties, in particular, safety and /iveness properties. We define what it means for a timed 
automaton to satisfy a property, and present results that capture common proof methods for showing 
that automata satisfy properties. 


6.1 PROPERTIES FOR HYBRID SEQUENCES 


Common types of properties considered for systems include safety properties and liveness properties 
[3, 9]. These notions are usually defined in a setting in which the behavior of a system consists of a 
set of infinite sequences. A property is then a set of infinite sequences. However, the behavior of a 
TA, that is, its executions and traces, encompasses both finite and infinite sequences. It is natural to 
say that a TA satisfies a certain property if all its executions (or traces) are contained in the property. 
Therefore, we consider properties that may contain both finite and infinite sequences, and adjust the 
definitions of safety and liveness accordingly. 

For any set A of actions and set V of variables, we define an (A, V)-property P to be any 
set of (A, V)-sequences. We define an (A, V)-property P to be a safety property provided that it 
is closed under prefix and limits of hybrid sequences. In other words, if a hybrid sequence satisfies 
a safety property P, then so do all its prefixes, and if all the executions in a chain of successive 
extensions satisfy P, then so does the limit of the chain. Safety properties are generally used to 
represent requirements that should be maintained by a system throughout its execution. 


Example 6.1 (Safety property). For any A and V, the set of all (A, V)-sequences in which all 
valuations are equal is a safety property. 


Example 6.2 (Always properties). Any set (property) of valuations can be used to define a safety 
property, as follows. Let J be any set of valuations of a set V of variables, and let A be any set of 
actions. Then define a/ways(1, A) to be the (A, V)-property consisting of all (A, V)-sequences in 
which all valuations are in J. It is immediate that a/ways(1, A) is a safety property. In this way, 
invariants that are formulated in terms of automaton states can be regarded as safety properties. 


Example6.3 (Timed automata executions and traces). For any TA A, its set of executions, execs A, 
is a safety property. However, the set of traces ¢races_4 need not be a safety property. For example, A 
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could be defined to choose an integer k nondeterministically, and then perform an external action 
beep at integer times 0, 1, 2, ..., k. The limiting sequence in which beep is performed infinitely 
many times, at all nonnegative integer times, is not in fraces A. 


Any (A, V)-property P can be weakened to a safety property. Define safe(P) to be the (A, V)- 
property that is obtained by taking the limit-closure of the prefix-closure of P. Then we can prove 
the following two lemmas. 


Lemma6.4 Let P be an (A, V)-property and let a be a closed (A, V)-sequence in safe(P). Then a is 
a prefix of some element of P. 


Proof. Let Q be the prefix closure of P, and let R be the limit-closure of Q. Since o € R, there 
exists a chain og, a, @2,--+ of elements of Q with limit a. By Lemma 3.6, œ is compact, and thus 
there is some a; such that a < oj. Sinceo; € Q, there exists some B € P such that a; < f. Hence, 


æ is a prefix of element £ of P. 
Lemma6.5 For any (A, V)-property P, safe(P) is a safety property. 


Proof. Let Q be the prefix closure of P, and let R be the limit-closure of Q. We prove that R — 
safe(P) is a safety property. 

First, we show that R is closed under prefixes. Let a € R and let B < o. We must prove 
B € R. Since a € R, there exists a chain ag, 01, 02, -- - of elements of Q with limit a. There exists 
a chain Bo, B1, B2. --- of closed (A, V)-sequences with limit 6. Fix an index i. Since B; < B and 
B < a, we have f; < a. By Lemma 3.6, Bi is compact, and thus there is some a; such that fj < œj. 
Since aj € Q and Q is (trivially) prefix-closed, B; € Q. Since i was chosen arbitrarily, this implies 
p eR. 

Next, we show that R is limit-closed. Suppose that o is the limit of a chain a, 01, @2,--- 
of elements of R. We must prove that a € R. There exists a chain fo, P1. b2, ++- of closed (A, V)- 
sequences with limit o. Fix an index i. By Lemma 3.6, fj is compact, and thus there is some a; 
such that Bj < æj. Since a; € R and R is closed under prefixes, B; € R. Hence, by Lemma 6.4, ; 
is a prefix of an element of P, that is, B; € Q. Since i was chosen arbitrarily, this implies œ € R, as 


required. 


We now turn to liveness properties. We define an (A, V)-property P to be a /veness property 
if, for every closed (A, V)-sequence o, P contains both a and an admissible extension of a, that is, 
C(A, V) € P,and Va € C([A,V) Be P:a x B^ € A(A, V). 

Liveness properties are commonly used to represent system requirements that should hold 
"eventually", or "infinitely often". In order for liveness properties to exist, we need a nontriviality 
assumption on the dynamic types of variables. If, for instance, the dynamic type of some variable 
only contains point trajectories, then there is no way in which we can extend closed hybrid sequences 
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to admissible hybrid sequences. Therefore, we assume, in the rest of this section, that for any v € V 
and for any value c € ¢ype(v), there exists a function f € dtype(v) whose domain is [0, 00) and with 
f (0) = c. Observe that, in combination with the fact that dynamic types are closed under time 
shift and concatenation, the nontriviality assumption implies that any closed hybrid sequence has 
an admissible extension. 


Example 6.6 — (Liveness properties). Fix a set of actions A containing action a, and a variable set 
V. Then the union of the set C(A, V) with the set of all (A, V)-sequences that contain at least 
one occurrence of a is a liveness property. The set of all (A, V)-sequences that do not contain any 
occurrence of a is not a liveness property, because this set does not include C(A, V). The union of 
C(A, V) with the set of (A, V)-sequences that contain infinitely many occurrences of a is a liveness 
property. The set of all (A, V)-sequences that contain finitely many occurrences of a is also a liveness 
property, since any closed (A, V)-sequence contains only finitely many occurrences of a, and has an 
admissible extension with only finitely many occurrences of a. Note that we need the dynamic type 
nontriviality assumption to assert the existence of the required admissible executions, in all three 
cases above. 


Our definitions yield the following results, stated formally, as l'heorems 6.7 and 6.8: (1) the 
classes of safety and liveness properties are (essentially) disjoint; and (2) every property satisfying 
certain basic closure conditions can be expressed as the intersection ofa safety and a liveness property. 
The first theorem says that the only property that can be both a safety and a liveness property is the 
set of all (A, V)-sequences. 


Theorem 6.7 Let P lean (A, V)-property. If P is both a safety property and a liveness property, then 
P is the set of all (A, V )-sequences. 


Proof. Suppose that P is both a safety and a liveness property. Let o be any (A, V)-sequence; we 
show a € P. By Lemma 3.6, œ can be expressed as the limit of a chain of closed (A, V)-sequences 
ao, 01, 02, .. .. Since P is a liveness property, it follows that for every i > 0, aj € P. But since P is 


a safety property, the limit of this chain, which is œ, must also be in P. 


The second theorem says that any property that satisfies certain basic closure conditions can 
be expressed as the intersection of a safety property and a liveness property. This means that one can, 
in principle, specify any such property by listing a collection of safety and liveness requirements. In 
other frameworks, for instance those of [3, 9], any property can be expressed as the intersection of 
a safety and a liveness property, whereas we require two closure conditions. This is due to the fact 
that in our setting properties may also contain finite sequences. The closure conditions constrain the 
finite behaviors within a property. 


Theorem 6.8 Let P be a prefix-closed (A, V)-property such that any closed sequence in P bas an 
admissible extension in P. Then there exist a safety property S and a liveness property L such that 
P-—SnrL. 
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Proof. Let S — safe(P) and let 


L = PUC(A,V)U(8 € A(A, V) | da € C(A, V) - Pia x fj 


Lemma 6.5 implies that S is a safety property. We claim that L is a liveness property. L contains 
all closed sequences, by construction. Now fix any closed sequence £, and argue that L contains 
an admissible extension of B. If B € P then, by the closure conditions on P, it has an admissible 
extension in P, and hence in L. If B ¢ P then, by definition of L, an admissible extension of f is 
included in L. Note that the existence of this extension depends on the dynamic type nontriviality 
assumption. 

From the definitions it is obvious that P C SM L. We claim that S N L € P. For contradic- 
tion, consider a € (S N L) — P. If« is closed then, since œ € safe(P), Lemma 6.4 and the fact that 
P is prefix-closed imply œ € P, and we are done. So assume that o is not closed. Since a € L — P, 
æ is an admissible extension of some $ € C(A, V) — P. But since a € S and P is prefix-closed, a 
is also the limit of a chain a, a, ... of sequences in P. This implies that there exists some index j 
such that B < æj. But then, by prefix closure of P, B € P. Contradiction. 


Example 6.9 (Expressing a property as an intersection of safety and liveness properties). Let P 
be the set of ({a, b], U)-sequences whose action subsequences are strictly alternating as and bs, and 
are either finite and time-bounded, or else infinite and admissible (that is, admissible with infinitely 
many action occurrences). Thus, we are ruling out both infinite time-bounded sequences and finite 
admissible sequences (admissible sequences with finitely many action occurrences). It is easy to check 
that P is prefix-closed and that any closed sequence in P has an admissible extension in P. 

Let S be the set of ({a, b}, )-sequences whose action subsequences are strictly alternating as 
and bs. This includes all the sequences in P, plus the alternating infinite time-bounded sequences 
and the alternating finite admissible sequences. Clearly, S is closed under prefix and limits, and hence 
a safety property. 

Let L’ be the prefix closure of the set of all infinite and admissible ({a, b], )-sequences. 
Then, clearly, L’ is a liveness property and P = SNL’. 

The decomposition of a property into a safety and a liveness property is not unique. Since 
S = safe(P), the definition of S is in agreement with the construction in the proof of Theorem 6.8. 
The set L’, however, is larger than the liveness property L constructed in the proof of Theorem 6.8. 
This construction defines L to be the union of P and C(A, V) and the set of admissible ({a, b], Ø)- 
sequences with an alternation error. Observe that L C L' since L' also contains the open and 
time-bounded ((a, b], Ø)-sequences with an alternation error. Nevertheless, according to the proof 
of Theorem 6.8, also L is a liveness property and P = SL. 
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6.2 PROPERTIES FOR TIMED AUTOMATA 


Now we define what it means for an automaton to satisfy a property. Consider a TA A and an 
(A, X)-property P, where A and X are the actions and variables of A. Then we say that A satisfies 
P provided that execs C. P, that is, every execution of A is in P. 

Sometimes we are interested in showing that an automaton satisfies a property of its traces, 
rather than of its executions. Thus, consider an (E, Ø) property P, where E is the set of external 
actions of A. Then we say that A ¢race-satisfies P provided that traces, C. P. 

For safety properties, we have the following three-way equivalence. The second and third 
conditions can be regarded as sufficient conditions for showing that A satisfies S. Lemma 6.10 
assumes that A is feasible, the definition of which is given in Section 4.4. 


Lemma6.10 Suppose that A is a feasible TA, and S is an (A, X)-safety property, where A and X are 
the actions and variables of. A. The following three statements are equivalent. 


LA satisfies S. 
2. Ewery admissible execution of A isin S. 


3. Every closed execution of. A isin S. 


Proof. Obviously, Condition 1 implies both Conditions 2 and 3. We show that Condition 2 implies 
Condition 3 and Condition 3 implies Condition 1. 


* 2 implies 3: Fix any closed execution a. Since A is feasible, o can be extended to an admissible 
execution a’, which must be in S by Condition 2. Since S is prefix-closed, œ € S, as needed. 


* 3 implies 1: Fix any execution a. Then o is the limit of a sequence of closed executions, each 
of which must be in S by Condition 3. Since S is limit-closed, œ € S, as needed. 


A consequence of Lemma 6.10 is that, in order to prove that a TA A satisfies an (A, X)- 
safety-property S, it is enough to prove S for all closed executions of A. This is typically done 
by induction on the i-length of the closed execution sequences (after strengthening the inductive 
hypothesis as needed). Such inductions have two types of inductive steps: for discrete transitions 
and for trajectories. A similar result to Lemma 6.10 holds for trace-satisfaction. 


Lemma 6.11 Suppose that Aisa feasible TA, and S is an (E, Ø)-safety property, where E is the set of 
external actions of A. The following three statements are equivalent. 


1.A trace-satisfies S. 
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2. Ewery admissible trace of A is in S. 


3. Ewery closed trace of A is in S. 


Now we consider the relationship between safety properties and invariants, as defined in 
Section 4.3. It follows directly from the definitions that J is an invariant of automaton A exactly if 
A satisfies the corresponding property a/ways(I, A), as defined in Example 6.2. 


Lemma 6.12 Let A be a TA with variable set X, and let I be a set of valuations of X. Then I is an 
invariant of A if and only if A satisfies the safety property always(I, A). 


Lemma 6.12 is of little use when one has to prove an invariant. For proving invariants it is 
better to use the methods described in Section 4.3. Methods for proving liveness properties for timed 
automata are less standardized than those for proving safety properties. In untimed settings, formal 
temporal logic methods are often used [65]. In timed settings, "eventual" properties and "infinitely 
often" properties are more commonly sharpened into time bound properties, which are expressed as 
safety properties and proved using safety proof techniques [49]. 


Example 6.13 — (Formulating an eventual property as a safety property). Consider the liveness 
property L consisting of sequences o such that either o is finite and time-bounded, or o contains 
at least one occurrence of a. Also, consider the safety property S consisting of all sequences œ such 
that either a./time < t or œ contains at least one occurrence of a by time f. 

Note that S does not quite imply L, because S allows the case where o is an infinite sequence 
with a./time < t that contains no a, whereas L does not. However, we can say that, if œ is in S and œ 
is not an infinite sequence with a./time < t, then œ € L. So, for example, for an automaton A having 
no infinite, time-bounded executions (executions with finite Zime), if we show that all executions of 
A satisfy S, then we know that they all satisfy L. 


63 IMPLEMENTATION 


The following theorem relating implementation and properties is immediate. 


Theorem 6.14 Let A and B be TAs with the same set E of external actions, and let P be any (E, Ø)- 
property. If A x B (that is, if traces A C. traces) and B trace-satisfies P, then A trace-satisfies P. 


Theorem 6.14 provides a simple proof method for showing that an automaton A trace-satisfies 
a property P: show that A implements some other automaton B and show that B satisfies P. 
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6.4 OPERATIONS 


In this section, we define composition of properties and give some basic results about when a 
composition of automata satisfies a composition of properties. Suppose P; is an (A;, V;)-property,i € 
(1. 2}. Then define P; || P2 to be the (A; U A», Vi U V2)-property containing exactly those sequences 
a such that a [(A;, Vi) € Pj, i € (1,2). 


Theorem 6.15 Let P; be an (Ai, Vi)-property, i € (1, 2). If Pi and P» are safety properties, then 
P || P2 is a safety property. 


The following theorem gives a simple sufficient condition for a composition of TA to imple- 
ment a composition of properties. 


Theorem 6.16 Let A; and An be compatible TAs and let P; be an (Ai, Xi)-property, i € (1, 2), where 
Aj and Xj are tbe sets of actions and states of Ai. Suppose Aj satisfies Pj, i € (1, 2}. Then Aj||A2 satisfies 
Py || Po. 


Proof. Let a € execs A jA, By Lemma 5.2, œ [(Ai, Xi) € execs4,, i € (1, 2). Since A; satisfies P;, 
we have that a [(A;, Xi) € P;, fori € (1, 2}. Therefore, œ € Pj || Po. 


A similar result holds for traces. 


Theorem 6.17 Let A and An be compatible TAs and let P; be an (Ei, V)-property, i € (1, 2), where 
Ej is the set of external actions of. Ai. Suppose Ai trace-satisfies Pj, i € (1, 2). Then A ||A2 trace-satisfies 
Pi || Po. 


Theorems 6.16 and 6.17 provide basic proof methods for showing that a composed system 
satisfies composed properties. We can also obtain slightly stronger results, such as the following two 
trace-satisfaction theorems, which are analogous to Corollaries 5.11 and 5.12. The first theorem 
says that A; || A2 trace-satisfies P;||P2 provided that JA» trace-satisfies P2, and every trace of A; 
consistent with property P» also has property P). 


Theorem6.18 Let A; and Az be compatible TAs and let P; be an (Ej, V) -property, i € (1, 2}. Suppose 
A» trace-satisfies P2. Suppose that every trace B of A such that B [ (E2, Ø) € P» is in P1. Then Ai || A2 
trace-satisfies P, || P2. 


Example 6.19 (Compositional proof of property satisfaction). Let Az be a TA with one external 
action a. Az is allowed to perform a only at integer times, and at most once at each integer time. 
It does not force any a events to occur, and lets time pass without constraint. Let P» be the set of 
({a}, V)-sequences in which, by any finite time, there are only finitely many occurrences of a. Clearly, 
A> trace-satisfies P2. 
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Let A; be a timed automaton with two external actions, a and b. A is allowed to perform any 
number of a events, at any time. It can perform b at any time, but only if it has previously performed 
a at the same time with no intervening b. A also lets time pass unconstrained. Let P be the set 
of ({a, b}, J)-sequences in which, by any finite time, there are only finitely many occurrences of b. 
Then every trace B of A; such that B [(E2, Ø) € P» isin P}. 

It follows from Theorem 6.18 that Aj ||.A» trace-satisfies P1 || P2, which means that the compo- 
sition ofthe two automata guarantees that, by any finite time, there are only finitely many occurrences 
of a and only finitely many occurrences of b. 


The second theorem incorporates auxiliary properties. It says that Aj || A2 trace-satisfies P; || P2 
provided that, for some auxiliary properties Q1 and Q2, Aj || A2 trace-satisfies Q1 || Q2, every trace of 
A1 consistent with property Q» also has property P1, and every trace of A2 consistent with property 
Q1 also has property P». 


Theorem 6.20 Let A, and A> be compatible TAs and let Pj and Qj be (Ej, V)-properties, i € (1, 2}. 
Suppose tbat: 


1. Aj\|Az2 trace-satisfies Q1|| Q2. 


2. Ewery trace B of Ai such that B [(E1, Ø) € Qo is in Py, and every trace B of Az such that 
B [(E2, Ø) E€ Q1 isin P5. 


Then, A; || A2 trace-satisfies P, || P2. 
We close this chapter with a trace-satisfaction result for hiding. 


Theorem 6.21 Let A be a TA, let P be an (EA, (J) property, and let E C E 4. Suppose that A trace- 
satisfies P. Then ActHide(E, A) trace-satisfies the property P [(E4 — E, Ø) = (8 [CEA — E, 9) | 
Be P}. 


CHAPTER 7 


Timed I/O Automata 


In this chapter we refine the timed automaton model of Chapter 4 by distinguishing between input 
and output actions. Typically, an interaction between a system and its environment is modeled by 
using output and input actions to represent, respectively, the external events under the control of the 
system and the environment. We extend the results on simulation relations and composition from 
Chapters 4 and 5 to this new setting. We also introduce special kinds of timed I/O automata: I/O 
feasible, progressive, and receptive TIOAs. 
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A timed I/O automaton (TIOA) A is a tuple (B, I, O) where: 


* B—-(X,Q,OG,E,H, D, T)isa TA. 


* I and O partition E into input and output actions, respectively. Actions in L HUO are 
called /oca/ly controlled; as before, we write A 5 EUH. 


* The following additional axioms are satisfied: 


E1 (Input action enabling) 
For every x € Q and every a € I, there exists x’ € Q such that x $ x’, 


E2 (Time-passage enabling) 
For every x € Q, there exists t € 7 such that t./state = x and either 


1. cJftime = œ, or 


2. t is closed and some / € L is enabled in c.Jsza£e. 


Input action enabling is the input enabling condition of ordinary I/O automata [84, 83, 76, 53, 54]; it 
says that a TIOA is able to perform an input action at any time. The time-passage enabling condition 
says that a TIOA either allows time to advance forever, or it allows time to advance for a while, up 
to a point where it is prepared to react with some locally controlled action. T'he condition ensures 
what is called time reactivity in [12] and timelock freedom in [14], that is, whenever time progress 
stops there exists at least one enabled transition. Because TIOAs have no external variables, E1 and 
E2 are slightly simpler than the corresponding axioms for HIOAs in [79]. 
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Notation: As we did for TAs, we often denote the components of a TIOA A by By, 14, OA, X 4, 
QA, Oa, etc., and those of a TIOA A; by Hi, Ii, Oi, Xi, Qi, Oi, etc. We sometimes omit these 
subscripts, where no confusion is likely. We abuse notation slightly by referring to a TIOA .A as a 
TA when we intend to refer to By. 


Example 7.1 (TAs viewed as TIOAs). The automaton TimedChannel described in Example 4.1 
can be turned into a TIOA by classifying the send actions as inputs, and the receive actions as 
outputs. Since there is no precondition for send actions, they are enabled in each state, so clearly the 
input enabling condition E1 holds. It is also easy to see that Axiom E2 holds: in each state either 
queue is nonempty, in which case a receive output action is enabled after a point trajectory, or 
queue is empty, in which case time can advance forever. 

The automaton ClockSync(u,r,i) of Example 4.6 can be turned into a TIOA by classifying 
the send actions as outputs, and the receive actions as inputs. Axiom E1 then holds trivially. 
Axiom E2 holds since from each state either time can advance forever, or we have an outgoing 
trajectory (possibly of length 0) to a state in which physclock = nextsend, and from there a send 
output action is enabled. 


7.0 EXECUTIONS AND TRACES 


An execution fragment, execution, trace fragment, ox trace of a TIOA A is defined to be an execution 
fragment, execution, trace fragment, or trace of the underlying TA 54, respectively. 

We say that an execution fragment of a TIOA is /eca/Iy- Zeno if it is Zeno and contains infinitely 
many locally controlled actions, or equivalently, if it has finite limit time and contains infinitely many 
locally controlled actions. 


7.3 SPECIAL KINDS OF TIMED I/O AUTOMATA 


7.3.1 FEASIBLE AND I/O FEASIBLE TIOAS 
A TIOA A = (B, I, O) is defined to be feasible provided that its underlying TA B is feasible 


according to the definition given in Section 4.4: for every state x of B, there exists an admissible 
execution fragment of B from x. As noted in Section 4.4, feasibility is a basic requirement that any 
TA (or TIOA) should satisfy. I/O feasibility is a strengthened version of feasibility that take inputs 
into account. It says that the automaton is capable of providing some response from any state, for any 
sequence of input actions and any amount of intervening time-passage. In particular, it should allow 
time to pass to infinity if the environment does not submit any input actions. Formally, we define 
a TIOA to be I/O feasible provided that, for each state x and each (J, Ø)-sequence f, there is some 
execution fragment o from x such that o [(/, Ø) = B. That is, an I/O feasible TIOA accommodates 
arbitrary input actions occurring at arbitrary times. The given (1, #)-sequence f describes the inputs 
and the amounts of intervening times. 
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7.3. PROGRESSIVE TIOAS 


A progressive TIOA never generates infinitely many locally controlled actions in finite time. Formally, 
a TIOA A is progressive if it has no locally-Zeno execution fragments. For reasons that will become 
clear later on in this section (see Theorem 7.6), we define progressiveness for execution fragments 
rather than for executions. 

The following lemma says that any progressive TIOA is capable of advancing time forever. 


Lemma7.2 Every progressive TIOA is feasible. 


Proof. Let A be a progressive TIOA and let x be a state of A. Since A is a TIOA it satisfies Axiom 
E2. We construct an admissible execution fragment œ = ag ~ o T 0: -:- from x as follows. 
1. œo = fo (x). 
2. For each i > 0, 
(a) If there exists a trajectory t from o/;..1 ./szafe such that t./time = co then a; is the final 
execution fragment in the sequence and o; — r. 
(b) Otherwise, let t; be a closed trajectory from ;—1./state such that | € L is enabled in 
I 
Ti Jstate. Define oj = Ti | vj 41 where vj 41 = Q (y) and ri Jstate > y. 
The above construction either ends after finitely many stages such that the last trajectory of œ is 
admissible, or goes through infinitely many stages such that œ contains infinitely many local actions. 


In the former case, we know that o is admissible since it ends with an admissible trajectory. In the 
latter case, since A is progressive, the fact that œ has infinitely many local actions implies that o is 


admissible, as needed. 


The following lemma says that a progressive TIOA is capable of allowing any amount of time 
to pass from any state. 


Lemma7.3 Let A be a progressive TIOA, let x be a state of A, and let v € trajs(Ø). Then there exists 
an execution fragment a of A such that a.fstate = x and æ [(4, Ø) = x. 


Proof. The result follows from the construction used in the proof of Lemma 7.2. Let œ be an 
admissible execution fragment from x constructed as in the proof of Lemma 7.2. Let a’ be a prefix 
of æ such that a’ [ (Ø, Ø) = v. Since our construction uses no actions from I, we have a’ [(1, Ø) = 


a’ [(Ø, Ø) = T, as needed. 


The following theorem says that a progressive TIOA is capable not just of allowing arbitrary 
amounts of time to pass, but of allowing arbitrary input actions at arbitrary times. 


Theorem 7.4 Every progressive TIOA is I/O feasible. 
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Proof. Let A be a progressive TIOA, let x be a state of A, and let B = 19 a1 T1 a2 12... be an 
(I, Ø)-sequence. We construct a finite or infinite sequence ag a ... of execution fragments such 
that: 


1. o. f safe = x. 
2. For each nonfinal index i, œ; ./state = oj. 1. fstate. 
3. For each i, (o9 ~ a) ^ ++: ^ aj) [U,0) = to a1 ti ... Ti. 


The construction is carried out recursively. To define ao, we start with x and use Lemma 7.3 to 
"span" the time interval of to. For i > 0, we define a; by starting with a;_1./state, using Axiom E1 
to perform the input action a; and move to a new state and then using Lemma 7.3 to span rj. 

Let a = œo ^ a ~---. By Lemma 3.8, æ is an execution fragment of A from x such that 


o [(, Ø) = P, as needed. 


7.3.5 RECEPTIVE TIMED I/O AUTOMATA 


In this section, we define the notion of receptiveness for TIOAs. ATIOA will be defined to be receptive 
provided that it admits a strategy for resolving its nondeterministic choices that never generates 
infinitely many locally controlled actions in finite time. This notion has an important consequence: 
A receptive TIOA provides some response from any state, for any sequence of discrete input actions 
at any times. This implies that the automaton has a nontrivial set of execution fragments, in fact, it 
has execution fragments that accommodate any inputs from the environment. The automaton cannot 
simply stop at some point and refuse to allow time to elapse; it must allow time to pass to infinity 
if the environment does so. Previous studies of receptiveness properties include [24, 1, 107, 81]. 
The notion of receptiveness for TIOAs as discussed here is a special case of the same notion for 
HIOAs [79]. 

We build our definition of receptiveness on our earlier definition of progressive TIOAs. 
Namely, we define a strategy for resolving nondeterministic choices, and define receptiveness in 
terms of the existence of a progressive strategy. 

We define a strategy for a TIOA A to be a TIOA A’ that differs from A only in that D' C D 
and 7” C T. That is, we require: 


"DYED, 
TC Ta 
*X—-X,0—0,0-0',H—H',I1—I',and O = 0. 


Our strategies are nondeterministic and memoryless. They provide a way of choosing some of the 
evolutions that are possible from each state x of A. The fact that the state set Q' of A’ is the same 
as the state set Q of A implies that A’ chooses evolutions from every state of A. 
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Our notion of strategy is very similar to the winning strategies defined by Maler, Pnueli, and 
Sifakis for certain games defined on Alur-Dill style timed automata [89]. The motivation for this 
work is the automatic synthesis of real-time controllers. Efficient algorithms for computing these 
strategies have recently been implemented in the tool Uppaal Tiga [17]. Notions of strategy have 
been used also in previous studies of receptiveness [24, 1, 107, 81]. However, in these earlier works, 
strategies are functions which, based on the full history, specify the next system move. Defining 
strategies using automata allows us to avoid introducing extra mathematical machinery. 


Lemma7.5 If A' isa strategy for A, then every execution fragment of A’ is also an execution fragment 
of A. 


We define a TIOA to be receptive if it has a progressive strategy. The following theorem says 
that any receptive TIOA can respond to any inputs from the environment. 


Theorem 7.6 Every receptive TIOA is I/O feasible. 


Proof. Immediate from the definitions, Theorem 7.4 and Lemma 7.5. 


Note that for this theorem to hold it is crucial that the progressive strategy A’ for a receptive 
TIOA A is defined for a// states of A’, not just for the reachable ones. Even though A and A’ 
have the same states, they may differ in their sets of reachable states. Thus, if we only have figured 
out what to do in the reachable states of A’, there may be some reachable states of A for which no 
“strategy” has been defined. 


Example7.7 (Progressive and receptive TIOAs). The time-bounded channel automaton described 
in Example 4.1 is not progressive since it allows for an infinite execution in which send and receive 
actions alternate without any passage of time in between. The time-bounded channel automa- 
ton is receptive, however, as we may construct a progressive strategy for it by adding a condition 
head(queue) .deadline = nowto the precondition of the receive action. In this way we enforce 
that the channel operates maximally slow and messages are only delivered at their delivery deadline. 
The clock synchronization automaton of Example 4.6 is progressive (and therefore receptive) since 
it can only generate a locally controlled action each time its physical clock advances by u time units 
and the real time that elapses between two locally produced actions is at least u x (1-r) time units. 
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7.4 IMPLEMENTATION RELATIONSHIPS 
Two TIOAs A; and A2 are comparable if their inputs and outputs coincide, that is, if J) = I» and 
O; = 02. If A; and Az are comparable, then A; < Az is defined to mean that the traces of A; are 
included among those of A2: Ai < A2 Ê traces A, € traces Ay. 


Lemma7.8 Let Aj, A> be two comparable TIOAs and let B1, B» be, respectively, the underlying TAs 
for A\ and Az. Then B and B» are comparable and Ay < Az iff By < Bo. 


Proof. Immediate from the definitions. 


7. SIMULATION RELATIONS 


The definition of forward simulation for TIOAs is the same as for TAs. Formally, if A; = 
(B1, I4, O1) and Az = (Bo, In, O2) are two comparable TIOAs, then a forward simulation from 
A, to A is a forward simulation from DB, to Bo. 


Theorem 7.9 IfA; and Az are comparable TIOAs and there is a forward simulation from A, to Ad, 
then A, < Ao. 


The definitions and results about backward simulations, history and prophecy relations for 
timed automata from Chapter 4 carry over to timed automata with input and output distinction in 
a similar fashion. 
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CHAPTER 8 


Operations on Timed I/O 


Automata 


In this chapter, we define the operations of composition and hiding and present projection, pasting 
and substitutivity results for TIOAs. We revisit the special kinds of TIOAs introduced in Chapter 7 
and show that the classes of progressive and receptive TIOAs closed under composition, while this 
is not true for the class of I/O feasible automata. 


8.1 COMPOSITION 


8.1.1 DEFINITIONS AND BASIC RESULTS 


The definition of composition for TIOAs is based on the corresponding definition for TAs, but 
also takes the input/output structure into account. We require that precisely one component should 
"control" any given internal or output action. We say that TIOAs A; and A» are compatible if, for 
i £j Xin X; = H; N A; = 0; N O; = f.Itisimmediate that if two TIOAs are compatible, their 
underlying TAs are also compatible. 


Lemma8.1 IFA, = (Bi, I1, O1) and Az = (Bo, h, O2) are compatible TIOAs, then B1 and B» are 
compatible TAs. 


If A; and Az are compatible TIOAs then their composition A, || A2 is defined to be the tuple 
A = (B, I, O) where: 


* B = Bilib, 
e I= (hU h)-— (Oj U Oo»), and 
e O = 01 U O2. 


Thus, an external action of the composition is classified as an output if it is an output of one of 
the component automata, and otherwise it is classified as an input. The composition of compatible 


TIOASs is guaranteed to be a TIOA: 


Theorem 8.2 IfA; and Az are compatible TIOAs then Aj || Az is a TIOA. 
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Proof. The proofis straightforward except for showing that Axiom E2 is satisfied by the composition. 
Let x be a state of.A,||.A». We need to show the existence of a trajectory from x that satisfies E2. 

By definition of A; ||A2,x [ X1 is a state of A; andx [ X2 isa state of A2. We know that both 
Aj and A? satisfy E2. Let tı be a trajectory of A with 1 .fstate = x [ X1 that satisfies E2, let t2 be 
a trajectory of A2 with v5./5/a£e = x [ X» that satisfies E2, and consider the following cases. 


1. r1Jfime = œ and 12./time = oc. 
Then, define t such that t | X1 = tı and t | X2 = v. 


2. t4 Jtime = oo and v» is closed where some l € L» is enabled in v5 Zszaze. 
Then, define t such that t |, X; = ti [ dom(12) and t |, Xo = T2. 


3. tj is closed where some / € Ly is enabled in vj ./state and v5 Jtime = oo. 
Then, define t such that t | X; = t; and t | X2 = v? [ dom(t)). 


4. tj is closed where some / € Lı is enabled in t4./szaze and t» is closed where some l € L5 is 
enabled in v»? ./szaze. 
If dom(t1) € dom(tz), then define t such that t |, X = tı and t | Xo = v? [ dom(t1). Oth- 
erwise, define t such that t |, X; = tı [ dom(12) and T |, Xo = 72. 


In all the cases, t is a trajectory of A; || A2 from x, and either t./time = oo or t is closed. Moreover, 
if t is closed then in the last state one of the automata, say A;, enables a locally controlled action 
L. Since A, and Az are compatible, either / is not in the signature of the other automaton Aj, or l 
is an input action of A; which is enabled within any state of A; by Axiom E1. In both cases, the 
last state of t enables / in the composition A4 || A2. This completes the proof that A; || A2 satisfies 
Axiom E2. 


Note that this theorem is stronger than the corresponding theorem [79, Theorem 6.12] for 
general HIOAs. Two HIOAs A; and A3 are required to be "strongly compatible” for their compo- 
sition to be a hybrid I/O automaton. This extra condition is needed to rule out dependencies among 
external variables that may prevent the component automata from evolving together. T'he absence 
of external variables in TIOA eliminates this kind of problematic behavior. Thus, for the timed case, 
we do not require the notion of strong compatibility that was needed for the hybrid case. 

Composition of TIOAs satisfies the following projection and pasting results, which follow 
from the corresponding results for TAs (Theorems 5.4 and 5.5). 


Theorem 8.3 Let Aj and Az be compatible TIOAs, and let A = Ai || A2. Let aj be an execution 
fragment of Aj, i € (1,2). 

Let P be an (E, V)-sequence, where E is the set of external actions of A. Suppose that B [(E;, Ø) 
trace(aj), i € (1, 2). Then there exists an execution fragment a of A such that trace(a) = B and aj = 
a [(Ai, Xi), i € (1, 2}. 
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Theorem 8.4 Let A, and An be compatible TIOAs, let A = Ai || A2, and let E be the set of external 
acions of A. Then traces A 1s exactly the set of (E , 6)-sequences whose restrictions to A, and Az are traces 
of A, and An, respectively. 

That is, traces, = (B | B isan (E, Ø)-seguence and B |(E;, Ø) € traces y,,i € {1, 2}}. 


8.1.2 SUBSTITUTIVITY RESULTS 


The following theorem is analogous to Theorem 5.9 for TAs. It shows that the introduction of this 
distinction does not cause any changes to the substitutivity results we obtained for general TAs. 


Theorem 8.5 — Suppose A and Az are comparable TIOAs with A, < Az. Suppose that B is a TIOA 
that is compatible with each of A and A2. Then .A1||B < A2||b. 


The corollaries are analogous to Corollaries 5.10 and 5.11 of Theorem 5.9. 


Corollary 8.6 Suppose Aj, A2, B1, and By are TIOAs, A, and Az are comparable, By and B» are 
comparable, and each of A, and An is compatible with each of B1 and B2. If Ay € Az and Bı < B2 
then A,||B, < A2||Bo. 


Corollary 8.7 Suppose Aj, A2, B1, and By are TIOAs, Ay and Az are comparable, By and DB» are 
comparable, and each of A, and A is compatible with each of Bi and B». If .A1||B» < .A2||Bo and 
Bi < By then A\||B, < A2||Bo. 


The basic substitutivity theorem, Theorem 8.5, is desirable for any formalism for interacting 
processes. For design purposes, it enables one to refine individual components without violating the 
correctness of the system as a whole. For verification purposes, it enables one to prove that a compos- 
ite system satisfies its specification by proving that each component satisfies its specification, thereby 
breaking down the verification task into more manageable pieces. However, it might not always be 
possible or easy to show that each component A; (resp. B1) satisfies its specification Az (resp. B2) 
without using any assumptions about the environment of the component. Assume-guarantee style 
results [1, 2, 31, 48, 52, 101, 114, 115] are special kinds of substitutivity results that state what 
guarantees are expected from each component in an environment constrained by certain assump- 
tions. Since the environment of each component consists of the other components in the system, 
assume-guarantee style results need to break the circular dependencies between the assumptions 
and guarantees for components. Below, we present two assume-guarantee style theorems, Theo- 
rem 8.8 and Corollary 8.9 taken from [55], which can be used for proving that a system specified as 
a composite automaton A; ||; implements a specification represented by a composite automaton 
A2||B2. 

The main idea behind Theorem 8.8 is to assume that A; implements A in a context repre- 
sented by B», and symmetrically that B1 implements B» in a context represented by Az where A2 
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and B» are automata whose trace sets are closed under limits. The requirement about limit-closure 
implies that A2 and B» specify trace safety properties. Moreover, we assume that the trace sets of Az 
and By are closed under time-extension. That is, the automata allow arbitrary time-passage. This 
is the most general assumption one could make to ensure that A2||62 does not impose stronger 
constraints on time-passage than A; ||6,. Recall that the definition of time extension of a hybrid 
sequence can be found in Section 3.4.1. 


Theorem 8.8 Suppose Aj, A2, B1, B2 are TIOAs such that A, and An are comparable, By and By are 
comparable, and each of A, and Ap is compatible with each of By and By. Suppose further that: 


1. the sets traces A, and tracesp, are closed under limits; 


2. the sets traces 4, and tracesp, are closed under time-extension; 


3. AB» < Az||Bz and A5 ||Bi < A2||Bo. 
Then, .Ai||Bi < A2||Bo. 


Proof. Let f be a closed trace of .A1||B1. We first prove by induction on the i-length of £ that £ is 
also a trace of A>||Bo. 

For the base case, assume that £ has i-length 1. Then £ consists of a single point trajectory 
over the empty set of variables. Axiom TO in the definition of a TA implies that £ is a trace of 
AA» || Bo, as needed. 


For the inductive step we consider the following cases. 


1. B = B'a t, where a is an output action of A, and r is a point trajectory. 


Then B [(E.4,,%) € £racesA, by projection using Theorem 8.4. By inductive hypothesis, 8’ € 
traces A, B5. 90 B [(EB,, Ø) € tracesp,, by projection using Theorem 8.4. Let œ be an execution 
of B» such that £race(o) = B' [(Eg,, Ø). Since A; and B» are compatible TIOAs and a is an 
output action of A1, we know that either a is an input action of B» or the action set of B» does 
not contain a. In the former case, by the input-enabling axiom (E1) we know that there exists 
x’ such that (@./state, a, x’) is a discrete transition of B». It follows that B [(Eg,, Ø) € tracesp,. 
In the latter case, since £ [(Eg,, Ø) = B' [(Ep,, Ø) and B' [(Ep,, Ø) € tracesg, we also get 
B [(Ep,, Ø) € tracesp,. By pasting using Theorem 8.4, B € traces A,B. Then by Assumption 
3, B € traces Az Bs. 


2. B = B'b x, where b is an output action of B; and r is a point trajectory. 
This case is symmetric with the previous one. 


3. B = P' ct, where c is an input action of both A; and B; and r is a point trajectory. 


By inductive hypothesis, f' € ¢races,4,B,. By projection using Theorem 8.4 we get 
B' [CE A, Ø) € traces, and B' [(Em,, V) € tracesg,. Let a be an execution of A2 such that 
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trace(a) = p' [(E.4,, Ø). Since Ay and A2 are comparable and a is an input action of A; we 
know that a is an input action of A2. By the input-enabling axiom (E1) we know that there 
exists x’ such that (o Jszate, a, x’) is a discrete transition of A2. It follows that B [(E 4, Ø) € 
traces A,. Similarly, let o^ be an execution of B such that ¢race(a’) = p’ [(Ep,, Ø). Since By 
and B» are comparable and a is an input action of B, we know that a is an input action of Bp. 
By the input-enabling axiom (E1) we know that there exists y’ such that (o ./state, a, y’) isa 
discrete transition of B». It follows that B [(Eg,, Ø) € tracesp, . By pasting using Theorem 8.4, 
we get B € traces ABa- 


4. B = B' d x, where d is an input action of A, but not an action of B, and r is a point trajectory. 


By inductive hypothesis, f' € traces A,B). By projection using Theorem 8.4, we have 
B' [CE A5, Ø) € traces, and B' [(Ep,, Ø) € tracesg,. Let a be an execution of A2 such that 
trace(a) = p' [(E4,, Ø). Since A; and Az are comparable TIOAs and a is an input ac- 
tion of Aj, a must be an input action of A2. By the input-enabling axiom (E1) we 
know that there exists x’ such that (a@./state,a,x') is a discrete transition of A2. It fol- 
lows that 8 [(E.4,, Ø) € £races.4,. Since Bı and B» are comparable and a is not an action 
of Bi, a cannot be an external action of B». Therefore, B [(Eg,, Ø) = ' [ (Eg, Ø). Since 
B' [(Ep,, Ø) € traces, we get B [(Ep,, Ø) € tracesg,. By pasting using Theorem 8.4, we get 
B € traces A4| Bs. 


5. B = p'et, where e is an input action of B, but not an action of A, and r is a point trajectory. 


This case is symmetric with the previous one. 


6. B = B' ^ B", where B' ends with a point trajectory and f" is a hybrid sequence consisting of 
a single trajectory T. 


By inductive hypothesis, ’ € źracesA |B,- By projection using Theorem 8.4, we 
get B'[(EA,. Ø) € traces, and B' [(Eg,, Ø) € tracesg,. By Assumption 2, we have 
B' [GE A5. B) ^ B" [CE A5, V) € traces a, and B' [(Ep,, Ø) ^ B" [(Ep,, Ø) € tracesg,.Then by 
pasting using Theorem 8.4, B € traces 4,\B,, as needed. 


We have thus shown that every closed trace of .A1||B is a trace of A2||B2. Now consider any 
nonclosed trace P of .A;||B;. This B can be written as the limit of a sequence 81 B» --- of closed 
traces of A, |81. By the first part of the proof we know that each B; € traces A; |, , and by projection 
using Theorem 8.4 each £; [ (E 4,, Ø) is a closed trace of A2, and B; [(Eg,, Ø) is a closed trace of B5. 
Since restriction is a continuous operation (Lemma 3.8), we know that B [ (E 4,, Ø) is the limit of 
the Bj [(E4,, Ø) and similarly B [(Eg, , Ø) is the limit ofthe Bj [ (Eg, , Ø). Since the sets ¢races 4, and 
traces B, are limit-closed by Assumption 1, we get B [(E.4,, Ø) € traces 4, and B [(Eg,, Ø) € tracesp,. 


Finally, by pasting using Theorem 8.4, we get B € traces A; |. 


Note that automata with FIN and timing-independence (see Section 4.4 for definitions) 
constitute examples for context automata A2 and B» that satisfy Assumptions 1 and 2. The property 
FIN implies Assumption 1 (Lemma 4.20) and timing-independence implies Assumption 2. 
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Theorem 8.8 has a corollary, Corollary 8.9 below, which can be used in the decomposition of 
proofs even when A2 and B» neither admit arbitrary time-passage nor have limit-closed trace sets. 
The main idea behind this corollary is to assume that A; implements A2 in a context B3 that is a 
variant of Bz, and symmetrically that B1 implements B» in a context A3 that is a variant of A2. That 
is, the correctness of implementation relationship between A; and Az does not depend on all the 
environment constraints, just on those expressed by B3 (symmetrically for B1, B», and A3). In order 
to use this corollary to prove .A1||B1 < A2||Bz, one needs to be able to find appropriate variants 
of Az and B» that meet the required closure properties. This corollary prompts one to pin down 
what is essential about the behavior of the environment in proving the intended implementation 
relationship, and also allows one to avoid the unnecessary details of the environment in proofs. 


Corollary 8.9 — Suppose A1, A2, A3, Bi, B2, B3 are TIOAMSs such that A1, A2, and A3 are comparable, 
Bı, B», and B3 are comparable, and Ai is compatible with Bj fori, j € (1, 2, 3}. Suppose further that: 
1. the sets traces A, and tracesp, are closed under limits; 
2. the sets traces A, and traces p, are closed under time-extension; 
3. A2||B3 x A3||B3 and A3||B2 < A3||Bs; 
4. AillB3 < Ap||B3 and A3||Bi < As] Bo. 


Then, A,||B, < A2||Bo. 


Proof. Since .A1||B3 < .A5||B3 by Assumption 4, and A2||63 < .43]|B3 by Assumption 3, we 
get A53 < A3||B3. Similarly, we have A3||B, = A3||Bo < A3||B3. Since A53 < A3||B3 and 
A3||B, < A3||B3, by using Assumptions 1 and 2, and Theorem 8.8 we have Aj||B, < A3||63.The 
result then follows from Corollary 5.12. 


Example 8.10 (Using environment assumptions to prove safety). This example illustrates that, 
in cases where specifications Az and B» satisfy certain closure properties, it is possible to decompose 
the proof of A;||B, < A2||Bz by using Theorem 8.8, even if it is not the case that A; < A2 or 
b, x Bo. 

The automata AlternateA and AlternateB in Figure 8.1 are timing-independent automata 
in which no consecutive outputs occur without inputs happening in between. AlternateA and 
AlternateB perform a handshake, outputting an alternating sequence of a and b actions when they 
are composed. The automata CatchUpA and CatchUpB in Figure 5.2 are timing-dependent automata 
that do not necessarily alternate inputs and outputs as AlternateA and AlternateB. CatchUpA can 
perform an arbitrary number of b actions, and can perform an a provided that counta < countb. 
It allows counta to increase to one more than countb. CatchUpB can perform an arbitrary number 
of a actions, and can perform a b provided that counta > countb + 1. It allows countb to reach 
counta. Timing constraints require each output to occur exactly one time unit after the last action. 
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automaton AlternateA 

signature 

output a, input b 
states 

myturn: Bool := true 
transitions 

output a input b 

pre eff 
myturn myturn :— true 


eff 


myturn :— false 


automaton AlternateB 


signature 
input a, output b 
states 
myturn: Bool :— false 
transitions 
input a output b 
eff pre 
myturn :— true myturn 
eff 
myturn :— false 


Figure 8.1: AlternateA and AlternateB. 


CatchUpA and CatchUpB perform an alternating sequence of a actions and b actions when they are 
composed. 

Suppose that we want to prove that CatchUpA || CatchUpB < AlternateA || AlternateB. We 
cannot apply the basic substituvity theorem Theorem 8.5, in particular Corollary 8.6, since the 
assertions CatchUpA < AlternateA and CatchUpB < AlternateB are not true. Consider the trace 
lblalal of CatchUpA. After having performed one b and one a, CatchUpA can perform another 
a. But, this is impossible for A1ternateA which needs an input to enable the second a. A1ternateA 
and CatchUpA behave similarly only when put in a context that imposes alternation. 

It is easy to check that AlternateA and AlternateB satisfy the closure properties required by 
Assumptions 1 and 2 of Theorem 8.8 and, hence can be substituted for A2 and Bp respectively. 
Similarly, we can easily check that Assumption 3 is satisfied if we substitute CatchUpA for A; and 
CatchUpB for Bj. 
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Example 8.11 (Extracting essential environment assumptions with auxiliary automata). This ex- 
ample illustrates that it may be possible to decompose verification, using Corollary 8.9, in cases 
where Theorem 8.8 is not applicable. If the aim is to show A1 ||B1 < A2||Bz where Az and B do 
not satisfy the assumptions of Theorem 8.8, then we find appropriate context automata A3 and B3 
that abstract from those details of Az and Bp that are not essential in proving A; |B; < A2||Bo. 


signature 
output a, input b 


states 
maxout: Nat, now: Real :— 0, next: AugmentedReal := 0 
transitions 
output a input b 
pre eff 
(maxout > 0) ^ (now = next) if next — infty 
eff then next :— now + 1 
maxout :— maxout - 1; 
next :— infty 


trajectories 
stop when 


now — next 
evolve 
d(now) = 1 
signature 
input a, output b 
states 
maxout: Nat, now: Real :— 0, next: AugmentedReal :— infty 
transitions 
input a output b 
eff pre 
if next — infty (maxout > 0) ^ (now = next) 
then next :— now + 1 eff 
maxout :— maxout - 1; 
next :— infty 


trajectories 
stop when 


now — next 
evolve 
d(now) = 1 


Figure 8.2: UseO0ldInputA and UseO0ldInputB. 


8.1. COMPOSITION 99 


signature 
output a, input b 


states 
maxout: Nat, now: Real :— 0, next: AugmentedReal := 0 
transitions 
output a input b 
pre eff 
(maxout > 0) A (now = next) next := now + 1 
eff 
maxout := maxout - 1; 
next := infty 


trajectories 
stop when 


now = next 
evolve 
d(now) = 1 


signature 
input a, output b 


states 
maxout: Nat, now: Real :— 0, next: AugmentedReal := infty 
transitions 
input a output b 
eff pre 
next :— now + 1 (maxout > 0) A (now = next) 
eff 
maxout := maxout - 1; 
next := infty 


trajectories 
stop when 


now = next 
evolve 
d(now) = 1 


Figure 8.3: UseNewInputA and UseNewInputB. 


Consider the automata Use0ldInputA and UseO0ldInputB in Figure 8.2. Use01dInputA keeps 
track of the next time it is supposed to perform an output, which may be never (infty). The 
number of outputs that Use01dInputA can perform is bounded by a natural number. In the case 
of repeated b inputs, it is the oldest input that determines when the next output will occur. The 
automaton Use01dInputB is the same as Use01dInputA (inputs and outputs reversed) except that the 
next variable of Use01dInputB is set to infty initially. Note that Use01dInputA and UseO0ldInputA 
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are not timing-independent and their trace sets are not limit-closed. For each automaton, there are 
infinitely many start states, one for each natural number. We can build an infinite chain of traces, 
where each element in the chain corresponds to an execution starting from a distinct start state. The 
limit of such a chain, which contains infinitely many outputs, cannot be a trace of Use01dInputA or 
UseOldInputB since the number of outputs they can perform is bounded by a natural number. The 
automaton UseNewInputA in Figure 8.3 behaves similarly to Use01dInputA except for the handling of 
inputs. In the case of repeated b inputs, it is the most recent input that determines when the next 
output will occur. The automaton UseNewInputB in Figure 8.3 is the same as UseNewInputA (inputs 
and outputs reversed) except that the next variable of UseNewInputB is set to infty initially. Suppose 
that we want to prove that: 


UseNewInputA||UseNewInputB < UseOldInputA||UseOldInputB. 


Theorem 8.8 is not applicable here because the high-level automata Use01dInputA and Use01dInputB 
do not satisfy the required closure properties. However, we can use Corollary 8.9 to decompose 
verification. It requires us to find auxiliary automata that are less restrictive than Use01dInputA and 
UseOldInputB but that are restrictive enough to express the constraints that should be satisfied by 
the environment, for UseNewInputA to implement Use01dInputA and for UseNewInputB to implement 
UseOldInputB. 

The automata AlternateA and AlternateB in Figure 8.1 can be used as auxiliary automata in 
this example. They satisfy the closure properties required by Corollary 8.9 and impose alternation, 
which is the only additional condition to ensure the needed trace inclusion. 

We can define a forward simulation relation from UseNewInputA || UseNewInputB to 
UseO0ldInputA || Use01dInputB, which is based on the equality of the next = infty predicate of 
the implementation and the specification automata. The fact that this simulation relation only 
uses the predicate next — infty reinforces the idea that the auxiliary contexts, which only keep 
track of their turn, capture exactly what is needed for the proof of UseNewInputA || UseNewInputB < 
UseOldInputA || Use01dInputB. We can observe that a direct proof of this assertion would require 
one to deal with state variables such as naxout and next of both Use01dInputA and UseOldInputB 
which do not play any essential role in the proof. On the other hand, by decomposing the proof 
along the lines of Corollary 8.9 some of the unnecessary details can be avoided. Even though, this 
is a toy example with an easy proof it should not be hard to observe how this simplification would 
scale to large proofs. 


8.1.3 COMPOSITION OF SPECIAL KINDS OF TIOAS 
The following example illustrates that the set of I/O feasible TIOAs is not closed under composition: 


Example 8.12 (Two I/O feasible TIOAs whose composition is not I/O feasible). Consider two 
T/O feasible TIOAs A and B, where O4 = Ig = {a} and Og = IA = (b). Suppose that A performs 
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its output a at time 0 and then waits, allowing time to pass, until it receives input b. If and when 
it receives b, it responds with output a without allowing any time to pass (and ignoring any inputs 
that occur before it has a chance to perform its output). On the other hand, B starts out waiting, 
allowing time to pass, until it receives input a. If and when it receives a, it responds with output b 
without allowing time to pass. 

It is not difficult to see that A and B are individually I/O feasible. We claim that the com- 
position .A||B is not I/O feasible. To see this, consider the start state of A||B and the unique input 
sequence f with B./time = oo; D simply allows time to pass to infinity. The composition .A||B has 
no way of accommodating this input, since it will never allow time to pass beyond 0. 


In contrast to this, the classes of progressive and receptive TIOAs are closed under composi- 
tion: 


Theorem8.13 If Aj and An are compatible progressive TIOAs, then their composition is also progressive. 


Proof. The proof is similar to the proof of Theorem 7.4 in [79]. The main idea behind the proof is 
that a Zeno execution of A, ||.A» with infinitely many locally controlled actions contains infinitely 
many locally controlled actions of either Aj or A2. Suppose without loss of generality that the 
automaton that contributes infinitely many locally controlled actions is A1. Then the projection 
onto A, violates progressiveness for A}. 


Theorem 8.14 Let Ay and Az be two compatible TIOAs with strategies A, and A, respectively. Then 
Aj IIA, is a strategy for A1 ||.Ao. 


Proof. The proof is similar to the proof of Theorem 7.7 in [79]. Since A; and Az are compatible 
and a strategy for a TIOA has the same signature as this TIOA, A and A’, are also compatible. 
Hence, by Theorem 8.2, A’ || A, is a TIOA. Let A denote .A; || A2 and let A’ denote A} || 45. From 
the definition of composition and strategy, A’ differs from A only in that D' C D and 7' € T. 
Then the definition of strategy implies that A’ is a strategy for A. 


Now, we can state the main result of this section, which follows easily from the previous two 
theorems. It shows that the class of receptive TIOAs is closed under composition. 


Theorem 8.15 Let A, and Az be compatible receptive TIOAs with progressive strategies A, and A, 
respectively. Then Ai || A2 is a receptive TIOA with progressive strategy A' || A}. 


Example 8.16 (Composition of receptive TIOAs). Theorem 8.15 implies that the composition of 
clock synchronization automata with channel automata described in Example 5.8 (viewed as TIOAs 
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as explained in Example 7.1) is receptive. Since by Theorem 7.6 any receptive TIOA is I/O feasible, 
we also have that it is I/O feasible. 


Actually, the fact that the set of I/O feasible TIOAs is not closed under composition motivated 
the definition of the more restrictive class of receptive TIOAs. That is, receptiveness is a reasonable 
sufficient condition that implies I/O feasibility, and that also is preserved by composition. 

The special case of the HIOA model, represented by the TIOA model, has simpler and stronger 
composition theorems than the general HIOA model. In particular, the main compositionality result 
for receptive HIOAs (Theorem 7.12 in [79]) has a more intricate proof than ours. It makes an 
assumption about the existence of strongly compatible strategies (discussed briefly at the end of 
Section 8.1.1) and needs an additional lemma that shows that if two HIOAs Aj and A2 have 
strongly compatible strategies A’, and A}, then A; and A2 are also strongly compatible. 
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We extend the definition of action hiding to any TIOA A. For TIOAs, we consider hiding outputs 
only (but not inputs), by converting them to internal actions. Namely, if A = (B, I, O) isa TIOA 
and O' C O, then 


ActHide(O',.A4) = (ActHide(o’, B), I, O — O^). 
It is immediate from the definitions that hiding is a well-defined operation on TIOAs. 
Lemma 8.17 IfA = (B, I, O) isa TIOA and O' C O then ActHide(O', A) is a TIOA. 


Using the corresponding result for TAs (Theorem 5.17), it is straightforward to establish that 
the hiding operation on TIOAs respects the implementation relation. 


Theorem8.18 Suppose Ay and Az are comparable TIOAs with A, < An, and suppose O C. O1. Then 
ActHide(0, A1) < ActHide(O, A2). 
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CHAPTER 9 


Conclusions and Future Work 


In this book, we presented the TIOA mathematical framework for describing and analyzing the 
behavior of timed systems and timed distributed algorithms. The TIOA framework is a special case 
of the Hybrid I/O Automaton modeling framework [79]. 

Designers of real-time systems or timing-based algorithms can use the TIOA framework to 
describe their systems and to decompose them into manageable pieces. In particular, they can de- 
scribe their systems at multiple levels of abstraction, establish implementation relationships among 
these levels, and decompose their systems into more primitive, interacting components. Many timed 
systems and timed distributed algorithms have already been modeled and analyzed using TIOA, 
including systems for vehicle and air-traffic control, communication, and mobile robotics, and al- 
gorithms for implementing atomic memory, synchronizing clocks, and implementing applications 
in mobile wireless networks. 

Although the framework presented here provides only conceptual tools for modeling, and 
manual proof methods, it also is a natural basis for building computerized modeling and analysis 
tools. The Tempo language and toolset [51] provides basic tool support for TIOA. 

The TIOA framework does not include any facilities for modeling probabilistic behavior. A 
probabilistic extension of TIOA, PTIOA, was recently developed by Mitra and co-workers [94, 95]. 
In PTIOA, randomness appears in the form of random choices of the target states of discrete 
transitions. As in other probabilistic models, subtleties arise because of the interplay between non- 
deterministic and probabilistic choice: in order to define probability distributions on executions 
and traces, some mechanism is needed for resolving the nondeterministic choices. PTIOA uses an 
oblivious scheduler mechanism. PTIOA includes facilities for composition and abstraction based 
on those in TIOA. The PTIOA framework borrows many ideas from an earlier Probabilistic Timed 
Automaton modeling framework of Segala [106]. 

'The earliest version of this work [58] included additional material, such as: (a) notions of 
fairness for timed I/O automata, and results that state conditions under which the "fair" traces of 
one TIOA must be included among the fair traces of another; (b) a TIOA version of a region 
construction that is sometimes used for model-checking other types of timed automata models. 
We have not included this material here, since it has not yet been tested adequately on interesting 
examples. 

A great deal of interesting future work remains. First, on the theoretical side, we would like 
to have a general, unified input/output automaton modeling framework, extending the TIOA Au- 
tomaton framework, which incorporates timed, hybrid, and probabilistic behavior. The probabilistic 
behavior might include continuous random choice during trajectories, rather than just probabilistic 
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choice during discrete transitions. Such a unified framework would allow system and algorithm 
designers to model systems with a combination of timing-dependent, hybrid, and probabilistic be- 
havior. An example of an application domain that could benefit from such a general framework is 
robot motion coordination. 

Second, and also theoretically, work remains in relating our framework formally to others that 
are comparable, such as [91, 107, 87, 86, 7, 88]. 

Third, many more systems and algorithms can be modeled and analyzed using TIOAs. Es- 
pecially promising application domains include wireless networks, embedded systems, and mobile 
robotics. TIOAs are particularly useful for modeling mobile systems, because they provide natural 
facilities for modeling the behavior of physical system components (e.g., the motion of vehicles or 
robots), as well as that of the software. 

Fourth, and finally, more and better tools for analyzing TIOA descriptions would be most 
welcome. The Tempo system uses a programmer-friendly plug-in architecture that should make it 
easy for a tool developer to integrate new analysis tools, with new capabilities, into the current basic 
system. 
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